Analysis Over the past two decades, efforts have been made to make email more secure. Alas, defensive protocols implemented during this period, such as SPF, DKIM, and DMARC, remain unable to deal with the complexity of email forwarding and differing standards, a study has concluded.
In a preprint paper titled, “Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy,” scheduled to appear at the 8th IEEE European Symposium on Security and Privacy in July, authors Enze Liu, Gautam Akiwate, Mattijs Jonker, Ariana Mirian, Grant Ho, Geoffrey Voelker, and Stefan Savage show that email messages can be easily spoofed despite the existence of supposed defenses.
The researchers, affiliated with UC San Diego and Stanford University in the US, and University of Twente in the Netherlands, reveal that attackers can still easily take advantage of security issues arising from email forwarding. They demonstrated this by delivering spoofed messages to accounts at major email providers like Google Gmail, Microsoft Outlook, and Zoho.
SPF, DKIM, and DMARC do help. Sender Policy Framework (SPF) provides a way to set a list of IP addresses that can send email on behalf of a domain, and to define what actions recipients should take upon receipt of a message from an unauthorized IP address.
DomainKeys Identified Mail (DKIM) creates a cryptographic signature binding a message to the sending domain, but doesn’t verify the sender (the FROM header).
Domain Message Authentication, Reporting, and Conformance (DMARC) builds upon and extends SPF and DKIM by telling