Both Sides Needed: A Two-Dimensional Measurement Study of Email Security Based on SPF and DMARC.

As important email authentication protocols, SPF and DMARC can effectively reduce the risk of spoofing and improve the security of email systems. In this paper, we perform, for the first time, a comprehensive and integrated measurement of the state of SPF and DMARC adoption on the Alexa Top Million Domains in 2023, both in two dimensions with email sending and receiving. We provide a detailed analysis and comparison of the results. Our measurement shows that the number of domains configured with SPF and DMARC records is increasing while the number of invalid records is also growing. Among domains with email sending/receiving capabilities, approximately 27% of domain mail servers cannot verify the SPF and DMARC of received emails. Email security must be achieved on both the sending and receiving sides. We recommend that all domain administrators pay more attention to the systemic issues of SPF and DMARC deployments.