Skip to main content
SpringerLink
Log in

Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARC

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14537))

Included in the following conference series:

  • 52 Accesses

Abstract

In 2015, the IETF released an informational specification for the DMARC protocol, not establishing it as an Internet standard. DMARC is designed to fight against email spoofing, on top of SPF and DKIM. Given that these anti-spoofing measures could lead to the loss of legitimate emails, DMARC embedded a reporting system enabling domain owners to monitor rejected messages and enhance their configurations. Research communities have extensively examined various aspects of DMARC, including adoption rates, misuse, and integration into early spam detection systems while overlooking other vital aspects, potentially impeding its broader use and adoption.

This paper sheds light on a widespread lack of comprehension of the standard and unexpected behavior regarding DMARC among various groups, including professionals, open-source libraries, and domain owners. We propose measurement and analysis approaches that include a DMARC record parser, a methodology for dataset collection, and an analysis of the domain name landscape. We provide insights for fostering a deeper understanding of the DMARC ecosystem.

We also identify email addresses in DMARC records belonging to 9,121 unregistered domain names, which unintended users could register, leading to potential data leakage from the email systems of domain owners.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A fictional domain name.

  2. 2.

    https://czds.icann.org.

  3. 3.

    https://www.sie-europe.net.

  4. 4.

    https://googlechrome.github.io/CertificateTransparency.

  5. 5.

    https://tranco-list.eu.

  6. 6.

    https://publicsuffix.org/.

  7. 7.

    https://dmarc.org/2016/07/common-problems-with-dmarc-records/.

  8. 8.

    https://www.proofpoint.com/.

  9. 9.

    https://www.agari.com/.

  10. 10.

    https://dmarcanalyzer.com/.

  11. 11.

    https://proton.me/support/custom-domain-google.

  12. 12.

    https://help.elasticemail.com/en/articles/2303947-the-dmarc-generator-tool.

  13. 13.

    https://wpmailsmtp.com/how-to-create-dmarc-record/.

  14. 14.

    https://6point6.co.uk/insights/xss-bugs-on-dmarc-checking-sites/.

  15. 15.

    https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/.

References

  1. Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., Thomas, M.: Domainkeys identified mail (DKIM) signatures. RFC 4871, RFC Editor, May 2007

    Google Scholar 

  2. Ashiq, M.I., Li, W., Fiebig, T., Chung, T.: You’ve got report: measurement and security implications of DMARC reporting. In: USENIX Security Symposium (2023)

    Google Scholar 

  3. Bennett, N., Sowards, R., Deccio, C.: SPFail: discovering, measuring, and remediating vulnerabilities in email sender validation. In: ACM Internet Measurement Conference, pp. 633–646. ACM (2022)

    Google Scholar 

  4. Bradner, S.: Key words for use in RFCs to indicate requirement levels. BCP 14, RFC Editor, March 1997

    Google Scholar 

  5. Chen, J., Paxson, V., Jiang, J.: Composition kills: a case study of email sender authentication. In: USENIX Security Symposium, pp. 2183–2199 (2020)

    Google Scholar 

  6. Crocker, D.: Mailbox names for common services, roles and functions. RFC 2142, RFC Editor, May 1997

    Google Scholar 

  7. Crocker, D., Hansen, T., Kucherawy, M.: Domainkeys identified mail (DKIM) signatures. STD 76, RFC Editor, September 2011

    Google Scholar 

  8. Czybik, S., Horlboge, M., Rieck, K.: Lazy gatekeepers: a large-scale study on SPF configuration in the wild. In: ACM Internet Measurement Conference, pp. 344–355. ACM (2023)

    Google Scholar 

  9. Dan, K., Kitagawa, N., Sakuraba, S., Yamai, N.: Spam domain detection method using active DNS data and e-mail reception log. In: Computer Software and Applications Conference (COMPSAC), vol. 1, pp. 896–899 (2019)

    Google Scholar 

  10. Deccio, C., et al.: Measuring email sender validation in the wild. In: ACM International Conference on Emerging Networking EXperiments and Technologies (CoNEXT), pp. 230–242. ACM (2021)

    Google Scholar 

  11. Delany, M.: Domain-based email authentication using public keys advertised in the DNS (domainkeys). RFC 4870, RFC Editor, May 2007

    Google Scholar 

  12. Dittrich, D., Kenneally, E.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research (2012)

    Google Scholar 

  13. Durumeric, Z., et al.: Neither snow nor rain nor MITM...: an empirical analysis of email delivery security. In: ACM Internet Measurement Conference (IMC), pp. 27–39. ACM (2015)

    Google Scholar 

  14. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security Symposium (2013)

    Google Scholar 

  15. Fernandez, S., Korczyński, M., Duda, A.: Early detection of spam domains with passive DNS and SPF. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds.) PAM 2022. LNCS, vol. 13210, pp. 30–49. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-98785-5_2

    Chapter  Google Scholar 

  16. Ferrante, A.J.: The impact of GDPR on WHOIS: implications for businesses facing cybercrime. Cyber Secur. Peer-Rev. J. 2(2), 143–148 (2018)

    Google Scholar 

  17. Fontana, H.: Authentication failure reporting using the abuse reporting format. RFC 6591, RFC Editor, April 2012

    Google Scholar 

  18. Gojmerac, I., Zwickl, P., Kovacs, G., Steindl, C.: Large-scale active measurements of DNS entries related to e-mail system security. In: IEEE International Conference on Communications (ICC), pp. 7426–7432, June 2015. ISSN: 1938–1883

    Google Scholar 

  19. Herzberg, A.: DNS-based email sender authentication mechanisms: a critical review. Comput. Secur. 28(8), 731–742 (2009)

    Article  Google Scholar 

  20. Hu, H., Peng, P., Wang, G.: Towards understanding the adoption of anti-spoofing protocols in email systems. In: IEEE Cybersecurity Development (SecDev), pp. 94–101 (2018)

    Google Scholar 

  21. Hu, H., Wang, G.: Revisiting email spoofing attacks. arXiv preprint arXiv:1801.00853 (2018)

  22. Izhikevich, L., et al.: ZDNS: a fast DNS toolkit for internet measurement. In: ACM Internet Measurement Conference (IMC), pp. 33–43. ACM (2022)

    Google Scholar 

  23. Kitterman, S.: Sender policy framework (SPF) authentication failure reporting using the abuse reporting format. RFC 6652, RFC Editor, June 2012

    Google Scholar 

  24. Kitterman, S.: Sender policy framework (SPF) for authorizing use of domains in email, version 1. RFC 7208, RFC Editor, April 2014

    Google Scholar 

  25. Klensin, J.: Simple mail transfer protocol. RFC 5321, RFC Editor, October 2008

    Google Scholar 

  26. Konno, K., Dan, K., Kitagawa, N.: A spoofed e-mail countermeasure method by scoring the reliability of DKIM signature using communication data. In: IEEE Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 43–48 (2017)

    Google Scholar 

  27. Kucherawy, M.: Extensions to domainkeys identified mail (DKIM) for failure reporting. RFC 6651, RFC Editor, June 2012

    Google Scholar 

  28. Kucherawy, M., Zwicky, E.: Domain-based message authentication, reporting, and conformance (DMARC). RFC 7489, RFC Editor, March 2015

    Google Scholar 

  29. Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-Z: 28 registrations later measuring the exploitation of residual trust in domains. In: IEEE Symposium on Security and Privacy (SP), pp. 691–706 (2016)

    Google Scholar 

  30. Liu, D., Hao, S., Wang, H.: All your DNS records point to us: understanding the security threats of dangling DNS records. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1414–1425. ACM (2016)

    Google Scholar 

  31. Liu, G., et al.: Dial “N” for NXDomain: the scale, origin, and security implications of DNS queries to non-existent domains. In: ACM Internet Measurement Conference (IMC). ACM (2023)

    Google Scholar 

  32. Malatras, A., Coisel, I., Sanchez, I.: Technical recommendations for improving security of email communications. In: International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1381–1386 (2016)

    Google Scholar 

  33. Maroofi, S., Korczyński, M., Duda, A.: From defensive registration to subdomain protection: evaluation of email anti-spoofing schemes for high-profile domains. In: Traffic Measurement and Analysis Conference (TMA) (2020)

    Google Scholar 

  34. Maroofi, S., Korczyński, M., Hölzel, A., Duda, A.: Adoption of email anti-spoofing schemes: a large scale analysis. IEEE Trans. Netw. Serv. Manage. 18(3), 3184–3196 (2021)

    Article  Google Scholar 

  35. Mori, T., Sato, K., Takahashi, Y., Ishibashi, K.: How is e-mail sender authentication used and misused? In: Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS), pp. 31–37. ACM (2011)

    Google Scholar 

  36. Nosyk, Y., Hureau, O., Fernandez, S., Duda, A., Korczyński, M.: Unveiling the weak links: exploring DNS infrastructure vulnerabilities and fortifying defenses. In: IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 546–557. IEEE Computer Society (2023)

    Google Scholar 

  37. Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59(10), 58–64 (2016)

    Google Scholar 

  38. Pochat, V.L., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS Symposium (2019)

    Google Scholar 

  39. Portier, A., Carter, H., Lever, C.: Security in plain TXT. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 374–395. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_18

    Chapter  Google Scholar 

  40. Postel, J.B.: Simple mail transfer protocol. STD 10, RFC Editor, August 1982

    Google Scholar 

  41. Scheffler, S., Smith, S., Gilad, Y., Goldberg, S.: The unintended consequences of email spam prevention. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 158–169. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_12

    Chapter  Google Scholar 

  42. Schlamp, J., Gustafsson, J., Wählisch, M., Schmidt, T.C., Carle, G.: The abandoned side of the internet: hijacking internet resources when domain names expire. In: Traffic Measurement and Analysis Conference (TMA) (2015)

    Google Scholar 

  43. Shukla, S., Misra, M., Varshney, G.: Forensic analysis and detection of spoofing based email attack using memory forensics and machine learning. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds.) Security and Privacy in Communication Networks, vol. 462, pp. 491–509. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-25538-0_26

  44. Szalachowski, P., Perrig, A.: Short paper: on deployment of DNS-based security enhancements. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 424–433. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_24

    Chapter  Google Scholar 

  45. Tatang, D., Flume, R., Holz, T.: Extended abstract: a first large-scale analysis on usage of MTA-STS. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds.) DIMVA 2021. LNCS, vol. 12756, pp. 361–370. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-80825-9_18

    Chapter  Google Scholar 

  46. Tatang, D., Zettl, F., Holz, T.: The evolution of DNS-based email authentication: measuring adoption and finding flaws. In: International Symposium on Research in Attacks, Intrusions and Defenses (RAID), pp. 354–369. Association for Computing Machinery (2021)

    Google Scholar 

  47. Vissers, T., Barron, T., Van Goethem, T., Joosen, W., Nikiforakis, N.: The wolf of name street: hijacking domains through their nameservers. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 957–970. ACM (2017)

    Google Scholar 

  48. Wang, C., Wang, G.: Revisiting email forwarding security under the authenticated received chain protocol. In: ACM Web Conference (WWW), pp. 681–689. ACM (2022)

    Google Scholar 

  49. Wang, C., et al.: A large-scale and longitudinal measurement study of DKIM deployment. In: USENIX Security Symposium, pp. 1185–1201 (2022)

    Google Scholar 

  50. Wong, M., Schlitt, W.: Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1. RFC 4408, RFC Editor, April 2006

    Google Scholar 

  51. Yajima, M., Chiba, D., Yoneya, Y., Mori, T.: A first look at brand indicators for message identification (BIMI). In: Brunstrom, A., Flores, M., Fiore, M. (eds.) International Conference on Passive and Active Network Measurement, vol. 13882. pp. 479–495. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-28486-1_20

Download references

Acknowledgments

We thank the reviewers for their valuable and constructive feedback. This work has been partially supported by the French Ministry of Research projects PERSYVAL Lab under contract ANR-11-LABX-0025-01 and DiNS under contract ANR-19-CE25-0009-01.

Author information

Authors and Affiliations

  1. Université Grenoble Alpes, CNRS, Grenoble INP, LIG, Grenoble, France

    Olivier Hureau, Jan Bayer, Andrzej Duda & Maciej Korczyński

  2. KOR Labs Cybersecurity, Saint-Martin-d’Hères, France

    Jan Bayer

Authors
  1. Olivier Hureau
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Bayer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrzej Duda
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maciej Korczyński
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Olivier Hureau .

Editor information

Editors and Affiliations

  1. Akamai Technologies, Cambridge, MA, USA

    Philipp Richter

  2. Hasso Plattner Institute, Potsdam, Germany

    Vaibhav Bajpai

  3. Northwestern University, Evanston, IL, USA

    Esteban Carisimo

10 Appendix

10 Appendix

Fig. 10.
figure 10

RFC 7489 Extract - 6.3. General Record Format

Full size image
Fig. 11.
figure 11

RFC 7489 Extract - 6.3. General Record Format

Full size image
Fig. 12.
figure 12

RFC 7489 Extract - 6.3. General Record Format

Full size image
Fig. 13.
figure 13

RFC 7489 Extract - 6.6.3. Policy Discovery

Full size image
Fig. 14.
figure 14

RFC 6376 Extract - 3.2. Tag=Value Lists

Full size image
Fig. 15.
figure 15

RFC 6376 Extract - 3.2. Tag=Value Lists

Full size image
Fig. 16.
figure 16

RFC 6376 Extract - 3.2. Tag=Value Lists

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hureau, O., Bayer, J., Duda, A., Korczyński, M. (2024). Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARC. In: Richter, P., Bajpai, V., Carisimo, E. (eds) Passive and Active Measurement. PAM 2024. Lecture Notes in Computer Science, vol 14537. Springer, Cham. https://doi.org/10.1007/978-3-031-56249-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-56249-5_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-56248-8

  • Online ISBN: 978-3-031-56249-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation