The Evolution of DNS-based Email Authentication: Measuring Adoption and Finding Flaws
- 6 October 2021
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
Email is still one of the most common ways of communication in our digital world, the underlying Simple Mail Transport Protocol (SMTP) is crucial for our information society. Back when SMTP was developed, security goals for the exchanged messages did not play a major role in the protocol design, resulting in many types of design limitations and vulnerabilities. Especially spear-phishing campaigns take advantage of the fact that it is easy to spoof the originating email address to appear more trustworthy. Furthermore, trusted brands can be abused in email spam or phishing campaigns. Thus, if no additional authentication mechanisms protect a given domain, attackers can misuse the domain. To enable proper authentication, various extensions for SMTP were developed in the past years. In this paper, we analyze the three most common methods for originating DNS domain email authentication in a large-scale, longitudinal measurement study. Among other findings, we confirm that Sender Policy Framework (SPF) still constitutes the most widely used method for email authentication in practice. In general, we find that higher-ranked domains use more authentication mechanisms, but sometimes configuration errors emerge, e.g., we found that amazon.co.jp had an invalid SPF record. A trend analysis shows a (statistically significant) growing number of domains using SPF. Furthermore, we show that the Domain-based Message Authentication, Reporting and Conformance (DMARC) distribution evolved significantly as well by increasing tenfold over the last five years. However, is still far from being perfect with a total adoption rate of about 11%. The US and UK governmental domains are an exception, given that both have a high adoption rate due to binding legal directives. Finally, we study DomainKeys Identified Mail (DKIM) adoption in detail and find a lower bound of almost 13% for DKIM usage in practice. In addition, we reveal various flaws, such as weak or shared duplicate keys. As a whole, we find that about 3% of the domains use all three mechanisms in combination.Keywords
This publication has 14 references indexed in Scilit:
- Automated Website Fingerprinting through Deep LearningPublished by Internet Society ,2018
- Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM)Published by RFC Editor ,2018
- A High-Performance, Scalable Infrastructure for Large-Scale Active DNS MeasurementsIEEE Journal on Selected Areas in Communications, 2016
- Going WildPublished by Association for Computing Machinery (ACM) ,2015
- Neither Snow Nor Rain Nor MITM...Published by Association for Computing Machinery (ACM) ,2015
- Security by Any Other NamePublished by Association for Computing Machinery (ACM) ,2015
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)Published by RFC Editor ,2015
- Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1Published by RFC Editor ,2014
- DomainKeys Identified Mail (DKIM) and Mailing ListsPublished by RFC Editor ,2011
- An overview of the Sender Policy Framework (SPF) as an anti‐phishing mechanismInternet Research, 2007