Tino Hager (Mailtower.app), Ronald Petrlic (Nuremberg Institute of Technology)
The widespread enforcement of email authentication mechanisms such as SPF, DKIM, and DMARC by major email providers has become a cornerstone in the fight against email spoofing. However, since these policies have been rigorously checked in practice, a paradoxical problem has emerged: emails that are correctly authenticated and fully compliant with all policies are nevertheless rejected. In particular, temp errors appear to occur arbitrarily and can account for substantial email delivery failures. To date, no systematic explanation for this phenomenon has been provided.
In this paper, we present the first comprehensive study that shows that these errors are not caused by the authentication mechanisms themselves, but by limitations and failures in the underlying DNS infrastructure. Our measurements reveal that the DNS zones of some—especially large—organizations are overcrowded with TXT records used for domain verification. We show that the resulting number and size of DNS records can directly interfere with SPF evaluation, leading to rejected emails. Furthermore, we identify issues in the DNS infrastructure of Amazon Web Services, where oversized DNS responses can trigger errors and, consequently, render emails undeliverable.
Beyond SPF, we show that DKIM configurations also contribute to delivery failures: RSA key lengths exceeding 2000 bits—despite being considered state of the art—can already result in non-delivery due to excessively large DNS responses. Finally, we are the first to uncover that Microsoft’s Exchange Online infrastructure exhibits shortcomings in handling long DNS responses, which explains a significant number of email delivery failures, particularly for large enterprises with extensive DNS configurations.
Overall, our findings provide a new perspective on the reliability of modern email authentication and demonstrate that DNS scalability and implementation limitations represent a critical, yet previously overlooked, root cause of authentication-related email delivery failures.