Email Servers For More Than Half of World’s Top Sites Can Be Spoofed

More than half of the world’s top sites suffer from misconfigured email servers, something that heightens the risk of having spoofed emails sent from their domains, researchers warn.

More than half of the world’s top sites suffer from misconfigured email servers, something that heightens the risk of having spoofed emails sent from their domains, researchers warn.

Researchers at Detectify, a Swedish web security firm, recently combed through hundreds of domains and found that many of them suffer from poor email authentication methods. An attacker could send spoofed emails from the domains and trick recipients into clicking malicious links, spreading malware, or giving up sensitive information.

The firm described this week how it carried out a simple test using a few lines of Python to scan the domains on’s top 500 sites list. It pinged each one to determine whether their email systems were properly configured; in this case whether the systems had sufficient SPF and DMARC records.

In email security, SPF, or Sender Policy Framework, is a validation system that’s designed to prevent spoofing by verifying that mail is coming from a host authorized by the domain’s administrators. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is an authentication protocol that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

In the eyes of the firm, sites with No SPF, SPF with SOFTFAIL, only, and SPF with SOFTFAIL, and DMARC with action none were all “vulnerable.”

Domains without SPF records leave the door open for spammers to send messages with forged “from” addresses from the domain, since the recipient can’t verify the messages are coming from an authorized mail server.

Sites with SPF records with only SOFTFAIL set up aren’t doing enough to protect their domains, Detectify said, since there’s no marking or special treatment when emails arrive, meaning the receiving server can accept it but will likely brand it as suspicious.

DMARC – which takes SPF and DKIM, another form of authentication – into consideration, can either quarantine or reject emails, but when it’s set to none, no action is taken.

The firm found that 276 of the 500 domains could be spoofed, and suggested that the figure would probably be worse if they were able to scour the whole internet.

“According to our research, only 42 percent of the top 500 Alexa sites use DMARC. Of the ones that use only SPF, 40 percent of these use SOFTFAIL,” the firm wrote of its study, “Since there are in fact ways to prevent this, the problem must be misinformation or lack of knowledge as to how vulnerable email without authentication configured can really be.”

Detectify wouldn’t disclose which 276 domains failed to properly configure their emails but did name one of the domains it scanned which had everything properly configured: the site for the customer service software Zendesk,

The company’s VP of Security, Ryan Gurney, told the company it was aware of what it had to do in order to adequately secure its email systems.

“We know that the correct use of SPF and DKIM can help to protect an email domain from these attacks. To setup SPF and DKIM correctly was challenging and required that we change the way we send email. However, we knew how important this was in order to maintain a high level of email security.”

Google recommends ramping up DMARC usage slowly, bolstered by DKIM and SPF, to prevent spam, eventually changing DMARC’s setting to “reject” in order to make full use of the feature.

The company announced last fall it was planning on moving to reject messages that don’t conform to checks spelled out by DMARC. The move followed similar steps taken by Yahoo and AOL with regards to their mail services.

Google, in an email security study carried out last November alongside researchers from the University of Michigan and the University of Illinois, made findings similar to Detectify’s. The researchers evaluated 700,000 SMTP servers associated with Alexa’s top million domains for a paper. 82 percent supported TLS but only 35 percent supported server authentication. An even smaller figure, 1.1 percent, specified a DMARC authentication policy.

Suggested articles