Domain Spoof Test (DST)

Domain Spoof Test (DST) Product Manual

To learn more about this product, read the below tutorial.

Important:If you are a current KnowBe4 customer, please use our Mailserver Security Assessment tool. For more information, see our Mailserver Security Assessment Product Manual article.

What is the Domain Spoof Test

The Domain Spoof Test (DST) is a free tool that determines if your email address is vulnerable to spoofing.

Using this test will increase your organization's awareness by letting you know if your domain is susceptible to spoofing and therefore, vulnerable to CEO fraud and other spear phishing attacks using your domain.

This information can empower you to enhance your internal security measures by training your users to detect spear-phishing attacks.

How Does the DST Work?

To get started, sign up for a test on our Domain Spoof Test page. You will need a valid email address from the domain of your organization.

We will send you an email to schedule your DST, which will attempt to spoof your domain by sending you an email from the email address you provided when signing up for the test.

If you do not receive the email or the email is sent to your spam or junk folder, your Sender Policy Framework (SPF) is working properly to detect and block email spoofing. However, if you receive the email in your inbox, your domain is vulnerable to domain spoofing.

The DST's current IP range will only pass an SPF configuration. The SPF records will indicate whether the allowed domain IPs range is within KnowBe4's IP range. If the SPF is within our allowed domain IPs range, the SPF will be marked as a pass.

The DST will not pass DMARC-SPF checks because of the format of the return headers. If the DMARC-SPF is used to check for no SPF record or an SPF record that is set to ? or ~, you will pass the DMARC-SPF check if there is a valid SPF record. If the SPF record is set to fail - then DMARC-SPF will fail.

Analyzing Your Results

If you have failed a Domain Spoof Test, we recommend that you implement and verify SPF and train your users with security awareness training to help secure your domain.

Note: As of April 2023, Microsoft no longer supports Exchange 2013. For more information, see the Exchange 2013 end of support roadmap article from Microsoft.

To implement and verify SPF:

  1. Implement SPF. For instructions on implementing SPF, see DigitalOcean's How To Use an SPF Record to Prevent Spoofing & Improve E-mail Reliability article.
  2. Verify that the SPF has been implemented with an SPF Record Test Tool.

Microsoft has its own version of SPF called “Sender ID”. To configure SPF for different environments, see the list below:

Can't find what you're looking for?

Contact Support