Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild

Stefan Czybik, Micha Horlboge, Konrad Rieck

TL;DR

This work provides the first large-scale, data-driven view of SPF configuration in the wild by scanning 12.8 million domains with a focus on adoption, errors, and policy laxity. It combines a broad empirical measurement with a detailed error taxonomy and a practical notification campaign to demonstrate both the scale of misconfigurations and their security impact. The study finds substantial growth in SPF deployment but notes a nontrivial share of records with errors and very permissive policies driven largely by include mechanisms, leading to spoofing opportunities. It further shows that targeted notifications can yield rapid improvements and offers concrete guidelines for domain owners and web hosting providers to tighten SPF configurations and reduce abuse. The work highlights the ongoing tension between usability and security in email authentication and provides actionable recommendations to improve real-world SPF deployment and resilience against forgery.

Abstract

The Sender Policy Framework (SPF) is a basic mechanism for authorizing the use of domains in email. In combination with other mechanisms, it serves as a cornerstone for protecting users from forged senders. In this paper, we investigate the configuration of SPF across the Internet. To this end, we analyze SPF records from 12 million domains in the wild. Our analysis shows a growing adoption, with 56.5 % of the domains providing SPF records. However, we also uncover notable security issues: First, 2.9 % of the SPF records have errors, undefined content or ineffective rules, undermining the intended protection. Second, we observe a large number of very lax configurations. For example, 34.7 % of the domains allow emails to be sent from over 100 000 IP addresses. We explore the reasons for these loose policies and demonstrate that they facilitate email forgery. As a remedy, we derive recommendations for an adequate configuration and notify all operators of domains with misconfigured SPF records.

Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild

TL;DR

This work provides the first large-scale, data-driven view of SPF configuration in the wild by scanning 12.8 million domains with a focus on adoption, errors, and policy laxity. It combines a broad empirical measurement with a detailed error taxonomy and a practical notification campaign to demonstrate both the scale of misconfigurations and their security impact. The study finds substantial growth in SPF deployment but notes a nontrivial share of records with errors and very permissive policies driven largely by include mechanisms, leading to spoofing opportunities. It further shows that targeted notifications can yield rapid improvements and offers concrete guidelines for domain owners and web hosting providers to tighten SPF configurations and reduce abuse. The work highlights the ongoing tension between usability and security in email authentication and provides actionable recommendations to improve real-world SPF deployment and resilience against forgery.

Abstract

The Sender Policy Framework (SPF) is a basic mechanism for authorizing the use of domains in email. In combination with other mechanisms, it serves as a cornerstone for protecting users from forged senders. In this paper, we investigate the configuration of SPF across the Internet. To this end, we analyze SPF records from 12 million domains in the wild. Our analysis shows a growing adoption, with 56.5 % of the domains providing SPF records. However, we also uncover notable security issues: First, 2.9 % of the SPF records have errors, undefined content or ineffective rules, undermining the intended protection. Second, we observe a large number of very lax configurations. For example, 34.7 % of the domains allow emails to be sent from over 100 000 IP addresses. We explore the reasons for these loose policies and demonstrate that they facilitate email forgery. As a remedy, we derive recommendations for an adequate configuration and notify all operators of domains with misconfigured SPF records.

Paper Structure

This paper contains 49 sections, 8 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. A Primer on SPF
  4. Mechanisms.
  5. Modifiers.
  6. Example.
  7. Previous Studies
  8. Attacks on SPF
  9. Difference to our study.
  10. Methodology
  11. Measuring SPF in the Wild
  12. Data source.
  13. Crawler.
  14. Measurement focus.
  15. SPF Adoption and Errors
  16. ...and 34 more sections

Figures (8)

  • Figure 1: Implementation of email and security mechanisms and their overlaps.
  • Figure 2: Appearance of different error types.
  • Figure 3: Distribution of record-not-found errors.
  • Figure 4: Cutout of the number of domains using a specific include depending on the DNS lookup count.
  • Figure 5: CDF of authorized IPv4 addresses.
  • ...and 3 more figures