Litcius/Paper detail

Measuring email sender validation in the wild

Casey T. Deccio, Tarun Yadav, Nathaniel Bennett, Alden Hilton, Michael P. A. Howe, Tanner Norton, Jacob A. Rohde, Eunice Tan, Bradley J. Taylor

202118 citationsDOI

Abstract

Email is a critical Internet application, and its security is important. The Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) were developed to enable mail servers to detect and reject email coming from fraudulent sources. In this paper we study the state of SPF, DKIM, and DMARC validation across a large number of mail servers, the first such study at scale that we know of. We consider two behaviors of sender-validating mail servers: behavior when an email with a valid sender is received and behavior when an email from a invalid sender is received. Our techniques allow us to elicit SPF, DKIM, and DMARC validation behavior of the servers without spam. We find that as many as 85% of mail servers are deploying SPF validation, and over half are deploying all three mechanisms: SPF, DKIM, and DMARC. We also observe there are some nuanced behaviors with regard to adherence to the SPF specification.

Topics & Concepts

Communication sourceServerComputer scienceEmail authenticationThe InternetElectronic mailComputer securityAuthentication (law)World Wide WebComputer networkAuthentication protocolMulti-factor authenticationInternet Traffic Analysis and Secure E-votingSpam and Phishing DetectionNetwork Security and Intrusion Detection