Subdomain Protection is Needed: An SPF and DMARC-based Empirical Measurement Study and Proactive Solution of Email Security

SPF and DMARC are two important email authentication protocols that can effectively reduce the risk of spoofing attacks and improve email security. In this paper, we provide an empirical measurement study of how well SPF and DMARC are deployed and managed. We perform an active measurement on the Alexa Top Million Domains and their subdomains. For the first time, we present a measurement of subdomain configuration. SPF and DMARC adoption is growing, but still more than 70% of domains do not have proper configurations. More than 90% of all domains lack subdomain configurations. Through experiments, we show that in the absence of effective SPF and DMARC configurations, domains and subdomains can be used by attackers to send spoofed emails. To address this issue, we provide a complete set of proactive email security defense solutions. We summarize detailed mitigation measures and email security assessment methodologies. We also propose the SPF Macro-based Abnormal Email Detection System (SMAEDS), which enables proactive defense against spoofed email attacks. We recommend that the community pay more attention to the systemic issues of SPF and DMARC deployment. We hope that this work can help improve the security of the email ecosystem and reduce the risk of phishing attacks.