Tobias Länge (SECUSO, Karlsruhe Institute of Technology, Karlsruhe, Germany), Fabian Lucas Ballreich (SECUSO, Karlsruhe Institute of Technology, Karlsruhe, Germany), Anne Hennig (SECUSO, Karlsruhe Institute of Technology, Karlsruhe, Germany), Peter Mayer (SECUSO, Karlsruhe Institute of Technology, Karlsruhe, Germany), Melanie Volkamer (SECUSO, Karlsruhe Institute of Technology, Karlsruhe, Germany)
Email spoofing, the practice of sending illegitimate messages that appear to come from a legitimate sender, is a phishing technique frequently employed by attackers. In an effort to prevent such phishing, anti-spoofing mechanisms like DMARC were introduced and have been examined in the research community with respect to describing adoption rates, policies used, and potential problems. However, prior research has not yet taken into account all aspects of DMARC when evaluating how effectively configurations prevent spoofing attacks. To address this research gap, we developed a utility-oriented configuration matrix – focusing on the anti-spoofing effectiveness of different DMARC configurations – and provide clear recommendations for selecting the appropriate configuration. We then collected data from the Tranco Top-100k list daily for a duration of eight months and applied our classification to the collected data. Our analyses of the collected data reveals how configurations evolve over time and provides insights into the actual deployment of DMARC in practice. This allows us to identify potential issues that hinder the adoption of more secure configurations and to identify the most common errors in invalid DMARC records found in the wild, which could serve as a basis for enhancing the DMARC standard. Our results show that domains move towards configurations that are more effective against email spoofing, however, still exhibiting a lack of knowledge with respect to different policy settings.