See how easy it is to spoof an email. Then fix it.
The first vulnerability is rarely the last.
Probe MX, SPF, DKIM, and DMARC records for any domain. Instantly see what protections are missing.
Tests mail server connectivity before sending. Know if port 25 is open and the target MX is reachable.
Deliver emails with custom From, Envelope-From, Subject, HTML body, and file attachments via raw SMTP.
Embeds a 1x1 tracking pixel. Know exactly when and if the recipient opens your test email.
Real-time activity feed showing sends, deliveries, and opens as they happen.
Python 3.6+ standard library only. No pip install, no Docker, no build step. One file, one command.
Set your spoofed From address, recipient, subject, and HTML body. Attach a PDF if you want. The live preview shows exactly what the recipient will see.
Run a DNS preflight check to analyze the target domain's email protections. See SPF, DKIM, and DMARC status at a glance. Then send.
Track whether the email was delivered and opened. The dashboard shows real-time events with timestamps. If it landed, the domain needs work.
Short answer: yes. And it's way easier than most people think.
Email was designed in the 1980s. The protocol that sends your messages (SMTP) has no built-in way to verify who's actually sending. It's like mailing a letter — you can write any return address you want on the envelope. The post office doesn't check.
Over the years, three systems were created to fix this: SPF, DKIM, and DMARC. They work by adding special DNS records that tell receiving servers how to verify who's allowed to send email for a domain.
The problem? Millions of domains still haven't set these up. Or they've set them up wrong. Or they've set them to "monitor only" instead of "reject." That means anyone with basic tools can send email that looks like it came from those domains.
Spoofy doesn't exploit anything. It doesn't hack into anyone's account. It simply does what any attacker could already do — connect to a mail server and say "hi, I'm sending on behalf of example.com." If the receiving server accepts it, that's the vulnerability.
If Spoofy can send an email as your domain, so can anyone else. That's the point.
No dependencies. No configuration. No containers.