Abstract
In 2015, the IETF released an informational specification for the DMARC protocol, not establishing it as an Internet standard. DMARC is designed to fight against email spoofing, on top of SPF and DKIM. Given that these anti-spoofing measures could lead to the loss of legitimate emails, DMARC embedded a reporting system enabling domain owners to monitor rejected messages and enhance their configurations. Research communities have extensively examined various aspects of DMARC, including adoption rates, misuse, and integration into early spam detection systems while overlooking other vital aspects, potentially impeding its broader use and adoption.
This paper sheds light on a widespread lack of comprehension of the standard and unexpected behavior regarding DMARC among various groups, including professionals, open-source libraries, and domain owners. We propose measurement and analysis approaches that include a DMARC record parser, a methodology for dataset collection, and an analysis of the domain name landscape. We provide insights for fostering a deeper understanding of the DMARC ecosystem.
We also identify email addresses in DMARC records belonging to 9,121 unregistered domain names, which unintended users could register, leading to potential data leakage from the email systems of domain owners.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A fictional domain name.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
References
Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., Thomas, M.: Domainkeys identified mail (DKIM) signatures. RFC 4871, RFC Editor, May 2007
Ashiq, M.I., Li, W., Fiebig, T., Chung, T.: You’ve got report: measurement and security implications of DMARC reporting. In: USENIX Security Symposium (2023)
Bennett, N., Sowards, R., Deccio, C.: SPFail: discovering, measuring, and remediating vulnerabilities in email sender validation. In: ACM Internet Measurement Conference, pp. 633–646. ACM (2022)
Bradner, S.: Key words for use in RFCs to indicate requirement levels. BCP 14, RFC Editor, March 1997
Chen, J., Paxson, V., Jiang, J.: Composition kills: a case study of email sender authentication. In: USENIX Security Symposium, pp. 2183–2199 (2020)
Crocker, D.: Mailbox names for common services, roles and functions. RFC 2142, RFC Editor, May 1997
Crocker, D., Hansen, T., Kucherawy, M.: Domainkeys identified mail (DKIM) signatures. STD 76, RFC Editor, September 2011
Czybik, S., Horlboge, M., Rieck, K.: Lazy gatekeepers: a large-scale study on SPF configuration in the wild. In: ACM Internet Measurement Conference, pp. 344–355. ACM (2023)
Dan, K., Kitagawa, N., Sakuraba, S., Yamai, N.: Spam domain detection method using active DNS data and e-mail reception log. In: Computer Software and Applications Conference (COMPSAC), vol. 1, pp. 896–899 (2019)
Deccio, C., et al.: Measuring email sender validation in the wild. In: ACM International Conference on Emerging Networking EXperiments and Technologies (CoNEXT), pp. 230–242. ACM (2021)
Delany, M.: Domain-based email authentication using public keys advertised in the DNS (domainkeys). RFC 4870, RFC Editor, May 2007
Dittrich, D., Kenneally, E.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research (2012)
Durumeric, Z., et al.: Neither snow nor rain nor MITM...: an empirical analysis of email delivery security. In: ACM Internet Measurement Conference (IMC), pp. 27–39. ACM (2015)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security Symposium (2013)
Fernandez, S., Korczyński, M., Duda, A.: Early detection of spam domains with passive DNS and SPF. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds.) PAM 2022. LNCS, vol. 13210, pp. 30–49. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-98785-5_2
Ferrante, A.J.: The impact of GDPR on WHOIS: implications for businesses facing cybercrime. Cyber Secur. Peer-Rev. J. 2(2), 143–148 (2018)
Fontana, H.: Authentication failure reporting using the abuse reporting format. RFC 6591, RFC Editor, April 2012
Gojmerac, I., Zwickl, P., Kovacs, G., Steindl, C.: Large-scale active measurements of DNS entries related to e-mail system security. In: IEEE International Conference on Communications (ICC), pp. 7426–7432, June 2015. ISSN: 1938–1883
Herzberg, A.: DNS-based email sender authentication mechanisms: a critical review. Comput. Secur. 28(8), 731–742 (2009)
Hu, H., Peng, P., Wang, G.: Towards understanding the adoption of anti-spoofing protocols in email systems. In: IEEE Cybersecurity Development (SecDev), pp. 94–101 (2018)
Hu, H., Wang, G.: Revisiting email spoofing attacks. arXiv preprint arXiv:1801.00853 (2018)
Izhikevich, L., et al.: ZDNS: a fast DNS toolkit for internet measurement. In: ACM Internet Measurement Conference (IMC), pp. 33–43. ACM (2022)
Kitterman, S.: Sender policy framework (SPF) authentication failure reporting using the abuse reporting format. RFC 6652, RFC Editor, June 2012
Kitterman, S.: Sender policy framework (SPF) for authorizing use of domains in email, version 1. RFC 7208, RFC Editor, April 2014
Klensin, J.: Simple mail transfer protocol. RFC 5321, RFC Editor, October 2008
Konno, K., Dan, K., Kitagawa, N.: A spoofed e-mail countermeasure method by scoring the reliability of DKIM signature using communication data. In: IEEE Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 43–48 (2017)
Kucherawy, M.: Extensions to domainkeys identified mail (DKIM) for failure reporting. RFC 6651, RFC Editor, June 2012
Kucherawy, M., Zwicky, E.: Domain-based message authentication, reporting, and conformance (DMARC). RFC 7489, RFC Editor, March 2015
Lever, C., Walls, R., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-Z: 28 registrations later measuring the exploitation of residual trust in domains. In: IEEE Symposium on Security and Privacy (SP), pp. 691–706 (2016)
Liu, D., Hao, S., Wang, H.: All your DNS records point to us: understanding the security threats of dangling DNS records. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1414–1425. ACM (2016)
Liu, G., et al.: Dial “N” for NXDomain: the scale, origin, and security implications of DNS queries to non-existent domains. In: ACM Internet Measurement Conference (IMC). ACM (2023)
Malatras, A., Coisel, I., Sanchez, I.: Technical recommendations for improving security of email communications. In: International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1381–1386 (2016)
Maroofi, S., Korczyński, M., Duda, A.: From defensive registration to subdomain protection: evaluation of email anti-spoofing schemes for high-profile domains. In: Traffic Measurement and Analysis Conference (TMA) (2020)
Maroofi, S., Korczyński, M., Hölzel, A., Duda, A.: Adoption of email anti-spoofing schemes: a large scale analysis. IEEE Trans. Netw. Serv. Manage. 18(3), 3184–3196 (2021)
Mori, T., Sato, K., Takahashi, Y., Ishibashi, K.: How is e-mail sender authentication used and misused? In: Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS), pp. 31–37. ACM (2011)
Nosyk, Y., Hureau, O., Fernandez, S., Duda, A., Korczyński, M.: Unveiling the weak links: exploring DNS infrastructure vulnerabilities and fortifying defenses. In: IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 546–557. IEEE Computer Society (2023)
Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59(10), 58–64 (2016)
Pochat, V.L., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS Symposium (2019)
Portier, A., Carter, H., Lever, C.: Security in plain TXT. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 374–395. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_18
Postel, J.B.: Simple mail transfer protocol. STD 10, RFC Editor, August 1982
Scheffler, S., Smith, S., Gilad, Y., Goldberg, S.: The unintended consequences of email spam prevention. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 158–169. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_12
Schlamp, J., Gustafsson, J., Wählisch, M., Schmidt, T.C., Carle, G.: The abandoned side of the internet: hijacking internet resources when domain names expire. In: Traffic Measurement and Analysis Conference (TMA) (2015)
Shukla, S., Misra, M., Varshney, G.: Forensic analysis and detection of spoofing based email attack using memory forensics and machine learning. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds.) Security and Privacy in Communication Networks, vol. 462, pp. 491–509. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-25538-0_26
Szalachowski, P., Perrig, A.: Short paper: on deployment of DNS-based security enhancements. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 424–433. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_24
Tatang, D., Flume, R., Holz, T.: Extended abstract: a first large-scale analysis on usage of MTA-STS. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds.) DIMVA 2021. LNCS, vol. 12756, pp. 361–370. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-80825-9_18
Tatang, D., Zettl, F., Holz, T.: The evolution of DNS-based email authentication: measuring adoption and finding flaws. In: International Symposium on Research in Attacks, Intrusions and Defenses (RAID), pp. 354–369. Association for Computing Machinery (2021)
Vissers, T., Barron, T., Van Goethem, T., Joosen, W., Nikiforakis, N.: The wolf of name street: hijacking domains through their nameservers. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 957–970. ACM (2017)
Wang, C., Wang, G.: Revisiting email forwarding security under the authenticated received chain protocol. In: ACM Web Conference (WWW), pp. 681–689. ACM (2022)
Wang, C., et al.: A large-scale and longitudinal measurement study of DKIM deployment. In: USENIX Security Symposium, pp. 1185–1201 (2022)
Wong, M., Schlitt, W.: Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1. RFC 4408, RFC Editor, April 2006
Yajima, M., Chiba, D., Yoneya, Y., Mori, T.: A first look at brand indicators for message identification (BIMI). In: Brunstrom, A., Flores, M., Fiore, M. (eds.) International Conference on Passive and Active Network Measurement, vol. 13882. pp. 479–495. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-28486-1_20
Acknowledgments
We thank the reviewers for their valuable and constructive feedback. This work has been partially supported by the French Ministry of Research projects PERSYVAL Lab under contract ANR-11-LABX-0025-01 and DiNS under contract ANR-19-CE25-0009-01.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
10 Appendix
10 Appendix
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Hureau, O., Bayer, J., Duda, A., Korczyński, M. (2024). Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARC. In: Richter, P., Bajpai, V., Carisimo, E. (eds) Passive and Active Measurement. PAM 2024. Lecture Notes in Computer Science, vol 14537. Springer, Cham. https://doi.org/10.1007/978-3-031-56249-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-56249-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56248-8
Online ISBN: 978-3-031-56249-5
eBook Packages: Computer ScienceComputer Science (R0)