USENIX Security Symposium 2024
SPF Beyond the Standard: Management and Operational Challenges in Practice and Practical Recommendations
Md. Ishtiaq Ashiq†,
Weitong Li†,
Tobias Fiebig‡,
Taejoong "Tijay" Chung†,
†Virginia Tech, ‡Max-Planck-Institut für Informatik,
About This Study
Since its inception in the 1970s, email has emerged as an irreplaceable medium for global communication. Despite its ubiquity, the system is plagued by security vulnerabilities, such as email spoofing. Among the various countermeasures, the Sender Policy Framework (SPF) remains a seminal and commonly deployed solution, working by specifying a list of authorized IP addresses for sending email. While SPF might seem simple on the surface, the practical management of its records proves to be challenging; for example, although syntactical errors are uncommon (0.4%), evaluation-phase challenges are prevalent (7.7%), leading to potential disruptions in email delivery. In our paper, we conduct a comprehensive study on the SPF extension, drawing from 17 months of weekly data snapshots that span 176 million domains across four top-level domains; we delve into the reasons behind such prevalent evaluation errors. Simultaneously, we undertake an ethical methodology to explore how SMTP servers validate SPF records and evaluate the effectiveness of widely-used software implementations. Our study unveils potential attack vectors that could be exploited for DNS amplification attacks or disrupt mail distribution; for instance, we demonstrate how an attacker could temporarily impede email reception by exploiting flaws in SPF validation mechanisms. We also conduct a qualitative study among email administrators to gain insights into the practical implementation and usage of SPF and SPF validators. Based on our findings, we provide recommendations designed to reconcile these discrepancies and bolster the SPF ecosystem’s overall security.
About the Dataset
The dataset is largely composed of the two parts:
-
Server-side Measurement: DNS scans, which focus on (1) how we collect the data (i.e., measurement codes), (2) how we analyze the collected data (i.e., analysis codes) — Section 3 in the paper.
-
Client-side Scanning: Scanning data, which focus on (1) how we scan the MTAs, (2) how we analyze the collected logs (i.e., analysis codes) — Section 5 in the paper.
-
Survey: Survey questions and responses, which focus on the qualitative study. — Section 6 in the paper.