Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild

TL;DR

This large-scale study analyzes SPF configurations across 12 million domains, revealing widespread adoption but also significant security flaws and overly lax policies that enable email forgery, along with recommendations for improvement.

Contribution

The paper provides the first comprehensive analysis of SPF deployment in the wild, identifying common misconfigurations and proposing best practices to enhance email security.

Findings

56.5% of domains use SPF records

2.9% of SPF records have errors or ineffective rules

34.7% of domains allow sending from over 100,000 IP addresses

Abstract

The Sender Policy Framework (SPF) is a basic mechanism for authorizing the use of domains in email. In combination with other mechanisms, it serves as a cornerstone for protecting users from forged senders. In this paper, we investigate the configuration of SPF across the Internet. To this end, we analyze SPF records from 12 million domains in the wild. Our analysis shows a growing adoption, with 56.5 % of the domains providing SPF records. However, we also uncover notable security issues: First, 2.9 % of the SPF records have errors, undefined content or ineffective rules, undermining the intended protection. Second, we observe a large number of very lax configurations. For example, 34.7 % of the domains allow emails to be sent from over 100 000 IP addresses. We explore the reasons for these loose policies and demonstrate that they facilitate email forgery. As a remedy, we derive recommendations for an adequate configuration and notify all operators of domains with misconfigured SPF records.