Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Top Websites Fail to Prevent Email Spoofing

More than half of Alexa top 500 domains allow email spoofing because their owners have failed to properly configure email servers, according to web security firm Detectify.

More than half of Alexa top 500 domains allow email spoofing because their owners have failed to properly configure email servers, according to web security firm Detectify.

Email spoofing has often been used in spam, phishing and fraud campaigns, which is why the industry has created several validation and authentication systems designed to prevent unauthorized parties from sending bogus emails apparently coming from legitimate domains.

One of these systems is Sender Policy Framework (SPF), that allows domain administrators to specify in DNS records which servers are allowed to send emails using their domain.

The way SPF is configured allows users to specify what happens to emails that fail a check. If “soft fail” is set, emails are accepted, but they might be marked as spam or suspicious by some email providers. For example, Detectify said Gmail allows emails to go through to inboxes and doesn’t mark them as spam/suspicious if “soft fail” is used. If “hard fail” is set, emails suspected of being spoofed are either blocked before reaching the user or marked as spam in the recipient’s inbox.

Another email authentication method is DomainKeys Identified Mail (DKIM). DKIM is similar to SPF, but it relies on a cryptographic signature to verify if the sender has been authorized for a domain.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a system built on top of SPF and DKIM. DMARC allows the sender to specify if DKIM and/or SPF are used and what happens in case a check fails (e.g. reject, quarantine, or do nothing). DMARC also allows users to generate reports and find out if someone is trying to send spoofed emails.

While SPF, DKIM and DMARC can be highly efficient, they need to be configured properly. Detectify has conducted an Internet scan to determine how many of the Alexa top 500 domains have email authentication configured properly.

Researchers found that 276 of the top 500 domains can be spoofed. These are domains that don’t use SPF at all, use SPF only with soft fail, or use SPF with soft fail and DMARC configured to take no action (i.e. “none”).

Detectify said only 42 percent of the top 500 domains use DMARC, and 40 percent of domain owners that rely on SPF configured it for soft fail. The security firm has contacted some of the affected companies and they promised to address the issue.

Experts pointed out that it’s not difficult for small organizations to properly configure their email servers. However, the task is not as easy for large enterprises, which need to identify every server used to send out emails, including ones used for support, marketing, and password resets. If any of them are missed, users will not be able to send out emails, which could pose serious problems.

Related Reading: Microsoft Sues U.S. Over Secret Warrants to Search Email

Related Reading: Official Probe Slams Clinton’s Private Email Use

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...