The Evolution of DNS-based Email Authentication: Measuring Adoption and Finding Flaws

Email is still one of the most common ways of communication in our digital world, the underlying Simple Mail Transport Protocol (SMTP) is crucial for our information society. Back when SMTP was developed, security goals for the exchanged messages did not play a major role in the protocol design, resulting in many types of design limitations and vulnerabilities. Especially spear-phishing campaigns take advantage of the fact that it is easy to spoof the originating email address to appear more trustworthy. Furthermore, trusted brands can be abused in email spam or phishing campaigns. Thus, if no additional authentication mechanisms protect a given domain, attackers can misuse the domain. To enable proper authentication, various extensions for SMTP were developed in the past years. In this paper, we analyze the three most common methods for originating DNS domain email authentication in a large-scale, longitudinal measurement study. Among other findings, we confirm that Sender Policy Framework (SPF) still constitutes the most widely used method for email authentication in practice. In general, we find that higher-ranked domains use more authentication mechanisms, but sometimes configuration errors emerge, e.g., we found that amazon.co.jp had an invalid SPF record. A trend analysis shows a (statistically significant) growing number of domains using SPF. Furthermore, we show that the Domain-based Message Authentication, Reporting and Conformance (DMARC) distribution evolved significantly as well by increasing tenfold over the last five years. However, is still far from being perfect with a total adoption rate of about 11%. The US and UK governmental domains are an exception, given that both have a high adoption rate due to binding legal directives. Finally, we study DomainKeys Identified Mail (DKIM) adoption in detail and find a lower bound of almost 13% for DKIM usage in practice. In addition, we reveal various flaws, such as weak or shared duplicate keys. As a whole, we find that about 3% of the domains use all three mechanisms in combination.

[1]  Jörg Schwenk,et al.  "Johnny, you are fired!" - Spoofing OpenPGP and S/MIME Signatures in Emails , 2019, USENIX Security Symposium.

[2]  Thorsten Holz,et al.  Large-Scale Analysis of Infrastructure-Leaking DNS Servers , 2019, DIMVA.

[3]  Wolfgang Mühlbauer,et al.  Comparing DNS resolvers in the wild , 2010, IMC '10.

[4]  Jörg Schwenk,et al.  Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels , 2018, USENIX Security Symposium.

[5]  Wouter Joosen,et al.  Automated Website Fingerprinting through Deep Learning , 2017, NDSS.

[6]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[7]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.

[8]  Nariyoshi Yamai,et al.  Spam Domain Detection Method Using Active DNS Data and E-Mail Reception Log , 2019, 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC).

[9]  Gang Wang,et al.  Towards Understanding the Adoption of Anti-Spoofing Protocols in Email Systems , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[10]  Christopher Krügel,et al.  Meerkat: Detecting Website Defacements through Image-based Object Recognition , 2015, USENIX Security Symposium.

[11]  Murray S. Kucherawy,et al.  Domain-based Message Authentication, Reporting, and Conformance (DMARC) , 2015, RFC.

[12]  Scott Kitterman,et al.  Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 , 2014, RFC.

[13]  Mohamed Ali Kâafar,et al.  TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication , 2015, NDSS.

[14]  Aiko Pras,et al.  A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements , 2016, IEEE Journal on Selected Areas in Communications.

[15]  Bruce M. Maggs,et al.  An End-to-End View of DNSSEC Ecosystem Management , 2017, Login: The Usenix Magazine.

[16]  Thorsten Holz,et al.  Extended Abstract: A First Large-Scale Analysis on Usage of MTA-STS , 2021, DIMVA.

[17]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[18]  Murray S. Kucherawy DomainKeys Identified Mail (DKIM) and Mailing Lists , 2011, RFC.

[19]  Stefan Gorling,et al.  An overview of the Sender Policy Framework (SPF) as an anti‐phishing mechanism , 2007 .

[20]  Scott Kitterman Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM) , 2018, RFC.

[21]  Gang Wang,et al.  End-to-End Measurements of Email Spoofing Attacks , 2018, USENIX Security Symposium.

[22]  Bruce M. Maggs,et al.  Understanding the role of registrars in DNSSEC deployment , 2017, Internet Measurement Conference.

[23]  Henry Carter,et al.  Security in Plain TXT - Observing the Use of DNS TXT Records in the Wild , 2019, DIMVA.

[24]  Ying Liu,et al.  Who is answering my queries: understanding and characterizing interception of the DNS resolution path , 2019, USENIX Security Symposium.

[25]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[26]  Nick Feamster,et al.  Global Measurement of DNS Manipulation , 2017, USENIX Security Symposium.

[27]  Stefan Savage,et al.  Security by Any Other Name: On the Effectiveness of Provider Based Email Security , 2015, CCS.

[28]  Thorsten Holz,et al.  Below the Radar: Spotting DNS Tunnels in Newly Observed Hostnames in the Wild , 2019, 2019 APWG Symposium on Electronic Crime Research (eCrime).

[29]  Christopher Krügel,et al.  Measuring E-mail header injections on the world wide web , 2018, SAC.

[30]  Narseo Vallina-Rodriguez,et al.  A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists , 2018, Internet Measurement Conference.