Espoofer  is an open-source testing tool to bypass SPF, DKIM, and DMARC authentication in email systems. It helps mail server administrators and penetration testers to check whether the target email server and client are vulnerable to email spoofing attacks or can be abused to send spoofing emails.

Why build this tool?

Email spoofing is a big threat to both individuals and organizations (Yahoo breach, John podesta). To address this problem, modern email services and websites employ authentication protocols — SPF, DKIM, and DMARC — to prevent email forgery.

Our latest research shows that the implementation of those protocols suffers a number of security issues, which can be exploited to bypass SPF/DKIM/DMARC protections. Figure 1 demonstrates one of our spoofing attacks to bypass DKIM and DMARC in Gmail. For more technical details, please see our Black Hat USA 2020 talk (with presentation video) or USENIX security 2020 paper.

  • Black Hat USA 2020 slides (PDF): You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication
  • USENIX security 2020 paper (PDF): Composition Kills: A Case Study of Email Sender Authentication
    • Distinguished Paper Award Winner

In this repo, we summarize all test cases we found and integrate them into this tool to help administrators and security-practitioners quickly identify and locate such security issues.Please use the following citation if you do scentific research (Click me).


  • Download this tool

git clone

  • Install dependencies

sudo pip3 install -r requirements.txt


espoofer has three work modes: server (‘s’, default mode), client (‘c’) and manual (‘m’). In server mode, espoofer works like a mail server to test validation in receiving services. In client mode, espoofer works as an email client to test validation in sending services. Manual mode is used for debug purposes.

Server mode

To run espoofer in server mode, you need to have: 1) an IP address (, which outgoing port 25 is not blocked by the ISP, and 2) a domain (

Domain configuration

  • Set DKIM public key for TXT  “v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNjwdrmp/gcbKLaGQfRZk+LJ6XOWuQXkAOa/lI1En4t4sLuWiKiL6hACqMrsKQ8XfgqN76mmx4CHWn2VqVewFh7QTvshGLywWwrAJZdQ4KTlfR/2EwAlrItndijOfr2tpZRgP0nTY6saktkhQdwrk3U0SZmG7U8L9IPj7ZwPKGvQIDAQAB”

Set SPF record for TXT “v=spf1 ip4: +all”

Configure the tool in

config ={
“attacker_site”: b””, #
“legitimate_site_address”: b””, #
“victim_address”: b””, #
“case_id”: b”server_a1″, # server_a1

You can list find the case_id of all test cases using -l option:

python3 -l

You can change case_id in the or use -id option in the command line to test different cases:

python3 -id server_a1

Client mode

To run epsoofer in client mode, you need to have an account on the target email services. This attack exploits the failure of some email services to perform sufficient validation of emails received from local MUAs. For example, tries to impersonate

  1. Configure the tool in

config ={
“legitimate_site_address”: b””,  
“victim_address”: b””,
“case_id”: b”client_a1″,
“client_mode”: {
“sending_server”: (“”, 587),  # SMTP sending serve ip and port
“username”: b””, # Your account username and password
“password”: b”your_passward_here”,

You can list find the case_id of all test cases using -l option:

python3 -l

Note: sending_server should be the SMTP sending server address, not the receiving server address.

  1. Run the tool to send a spoofing email

python3 -m c

You can change case_id in the and run it again, or you can use -id option in the command line:

python3 -m c -id client_a1

Manual mode

Here is an example of manual mode:

python3 -m m -helo -mfrom -rcptto -data raw_msg_here -ip -port 25


  1. A brief overview of test cases.