Saved in:
Bibliographic Details
Main Authors: Czybik, Stefan, Horlboge, Micha, Rieck, Konrad
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.08240
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912230460620800
author Czybik, Stefan
Horlboge, Micha
Rieck, Konrad
author_facet Czybik, Stefan
Horlboge, Micha
Rieck, Konrad
contents The Sender Policy Framework (SPF) is a basic mechanism for authorizing the use of domains in email. In combination with other mechanisms, it serves as a cornerstone for protecting users from forged senders. In this paper, we investigate the configuration of SPF across the Internet. To this end, we analyze SPF records from 12 million domains in the wild. Our analysis shows a growing adoption, with 56.5 % of the domains providing SPF records. However, we also uncover notable security issues: First, 2.9 % of the SPF records have errors, undefined content or ineffective rules, undermining the intended protection. Second, we observe a large number of very lax configurations. For example, 34.7 % of the domains allow emails to be sent from over 100 000 IP addresses. We explore the reasons for these loose policies and demonstrate that they facilitate email forgery. As a remedy, we derive recommendations for an adequate configuration and notify all operators of domains with misconfigured SPF records.
format Preprint
id arxiv_https___arxiv_org_abs_2502_08240
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild
Czybik, Stefan
Horlboge, Micha
Rieck, Konrad
Cryptography and Security
The Sender Policy Framework (SPF) is a basic mechanism for authorizing the use of domains in email. In combination with other mechanisms, it serves as a cornerstone for protecting users from forged senders. In this paper, we investigate the configuration of SPF across the Internet. To this end, we analyze SPF records from 12 million domains in the wild. Our analysis shows a growing adoption, with 56.5 % of the domains providing SPF records. However, we also uncover notable security issues: First, 2.9 % of the SPF records have errors, undefined content or ineffective rules, undermining the intended protection. Second, we observe a large number of very lax configurations. For example, 34.7 % of the domains allow emails to be sent from over 100 000 IP addresses. We explore the reasons for these loose policies and demonstrate that they facilitate email forgery. As a remedy, we derive recommendations for an adequate configuration and notify all operators of domains with misconfigured SPF records.
title Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild
topic Cryptography and Security
url https://arxiv.org/abs/2502.08240