Many top companies have not done enough to prevent email spoofing using their domains. A new study conducted by security firm Detectify has revealed that many top website domains are wide open to abuse because email servers have been misconfigured or do not use authentication.

Website Owners are Not Doing Enough to Prevent Email Spoofing

Detectify conducted the study to determine how widespread the problem really is. The top 500 Alexa ranked websites were scanned to determine whether vulnerabilities existed that would allow spammers to send spoofed emails from the domains. The Swedish security firm found that fewer than half of the websites tested had configured their email servers correctly. The majority had either misconfigured their email servers or had failed to use authentication, which could prevent email spoofing. 276 of the domains were discovered to be vulnerable. More than half of the most visited websites could therefore be used by spammers to send spoofed emails.

Email spoofing is the sending of emails using a forged email address. This can either be the sending of an email that appears to come from a particular domain – Using a very similar domain name for example – or sending fake emails from the domain itself. In the case of the former, there is little companies can do to prevent this and it is largely down to email recipients to carefully check the sender’s address.

However, organizations can take steps to prevent spammers from sending emails from their own domains. If fake emails are sent from their domains customers may be fooled into thinking the messages are genuine. Criminals use email spoofing for phishing, spearphishing, and malware/ransomware campaigns. It is easier for them to achieve their objective if the message recipients trust the domain from which the email is sent.

How to Prevent Email Spoofing

There are three main ways that companies can address vulnerabilities and prevent domain spoofing. The most common method is to use the Sender Policy Framework, or SPF.  By using this setting the website owner can specify which servers are permitted to send emails using the domain. There are three possible settings – hardfail, softfail, and neutral. To prevent email spoofing, hardfail should be selected. This will reject suspected spam emails and will ensure they are not delivered. If the softfail setting is used, emails will still be delivered although they should be marked as suspected spam. If neutral is used there is no control and all emails will be sent and delivered.

The 276 domains that Detectify discovered were vulnerable had used the softfail or neutral settings. Softfail is often used instead of hardfail to prevent the loss of emails that are incorrectly flagged. However, many free email providers such as Gmail fail to mark messages as spam if the softfail setting has been used.

Detectify recommended that websites use the hardfail setting and also use DMARC – Domain Based Message Authentication Reporting and Conformance. DMARC is a much more reliable way to prevent spoofed emails from a domain.  DMARC creates a link between the email and the domain name. This makes it easier to determine whether an email is genuine or if it just looks real. DMARC also sends reports to advise the domain owner who is sending emails from their domain.

However, only 42% of the websites tested used DMARC, and in many cases, the settings had been configured incorrectly. While SPF and DMARC are not infallible, they can make it much harder for spammers to send spoofed emails.