Top Websites Fail to Prevent Email Spoofing

More than half of Alexa top 500 domains allow email spoofing because their owners have failed to properly configure email servers, according to web security firm Detectify.

Email spoofing has often been used in spam, phishing and fraud campaigns, which is why the industry has created several validation and authentication systems designed to prevent unauthorized parties from sending bogus emails apparently coming from legitimate domains.

One of these systems is Sender Policy Framework (SPF), that allows domain administrators to specify in DNS records which servers are allowed to send emails using their domain.

The way SPF is configured allows users to specify what happens to emails that fail a check. If “soft fail” is set, emails are accepted, but they might be marked as spam or suspicious by some email providers. For example, Detectify said Gmail allows emails to go through to inboxes and doesn’t mark them as spam/suspicious if “soft fail” is used. If “hard fail” is set, emails suspected of being spoofed are either blocked before reaching the user or marked as spam in the recipient’s inbox.

Another email authentication method is DomainKeys Identified Mail (DKIM). DKIM is similar to SPF, but it relies on a cryptographic signature to verify if the sender has been authorized for a domain.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a system built on top of SPF and DKIM. DMARC allows the sender to specify if DKIM and/or SPF are used and what happens in case a check fails (e.g. reject, quarantine, or do nothing). DMARC also allows users to generate reports and find out if someone is trying to send spoofed emails.

While SPF, DKIM and DMARC can be highly efficient, they need to be configured properly. Detectify has conducted an Internet scan to determine how many of the Alexa top 500 domains have email authentication configured properly.

Researchers found that 276 of the top 500 domains can be spoofed. These are domains that don’t use SPF at all, use SPF only with soft fail, or use SPF with soft fail and DMARC configured to take no action (i.e. “none”).

Detectify said only 42 percent of the top 500 domains use DMARC, and 40 percent of domain owners that rely on SPF configured it for soft fail. The security firm has contacted some of the affected companies and they promised to address the issue.

Experts pointed out that it’s not difficult for small organizations to properly configure their email servers. However, the task is not as easy for large enterprises, which need to identify every server used to send out emails, including ones used for support, marketing, and password resets. If any of them are missed, users will not be able to send out emails, which could pose serious problems.

Related Reading: Microsoft Sues U.S. Over Secret Warrants to Search Email

Related Reading: Official Probe Slams Clinton’s Private Email Use