Researchers at the Berlin Institute for the Foundations of Learning and Data (BIFOLD) at TU Berlin have found several weaknesses in records of the Sender Policy Framework (SPF) that serves as a cornerstone for protecting email users from forged senders. The analysis is based on SPF records from 12 million domains and comes to the result that one third of these permit very large IP address spaces, leading to a lax SPF configuration. The paper “Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild“ was presented at the ACM Internet Measurement Conference 2023 in Montreal.
Electronic mail or email for short is still the most popular form of Internet communication. The sending and receiving of an email are realized on top of the classic Simple Mail Transfer Protocol (SMTP). Standardized in 1982, this protocol has been designed without built-in mechanisms to ensure the confidentiality of transmitted messages or to verify the authenticity of senders. In 2003, the security mechanism Sender Policy Framework (SPF) was introduced to address the latter problem. SPF defines authorized servers for sending emails for a specific domain and thereby mitigates email spoofing and phishing. It is one of the oldest and widely used security mechanisms for email, in comparison to more recent techniques, such Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
The study from BIFOLD reveals a growing adoption of SPFs in the Internet with 56.5% of the domains providing SPF records, thus indicating its importance in email security. On the other hand, the scientists discovered several security issues: Around 2.9% of SPF records contain errors, undefined content, or ineffective rules, which undermine the intended protection. In addition, a significant number of domains have very permissive SPF configurations.For example, 34.7% of domains allow emails to be sent from over 100,000 IP addresses, making it easier for malicious actors to spoof email senders and conduct phishing. That is, an email coming from one of these domains can originate from thousands of different hosts without triggering an alert, making it difficult to distinguish between legitimate and harmful sources.
In their conclusion the scientists offer recommendations for more secure SPF configurations to strengthen email security and strongly recommend using more restrictive SPF policies in practice. The researchers also launched a notification campaign to inform operators of domains with misconfigured SPF records. The response has been positive, with several operators already correcting their SPF configurations.
Publication: Stefan Czybik, Micha Horlboge, Konrad Rieck: “Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild”, Proceedings of the 2023 ACM on Internet Measurement Conference, 2023.
Contact: Prof. Dr. Konrad Rieck, email@example.com