SPF / DKIM Use on the Decline Among Fortune 500s?
July 3th, 2008
For those of you who are not familiar with SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), these are two forgery countermeasures, which can be used by anyone looking to protect the integrity of their outgoing electronic correspondence (email). SPF and DKIM provide a response to recipient email servers interested in knowing whether a particular sender was authorized to send email representing the company’s domain. This is done without divulging any information about the message that was sent, and can be very effective at fighting spam, phishing, and other forms of spoofing. In order for the recipient to identify a forgery, their mail server must be running software that supports SPF or DKIM lookups (such as Secure Mail).
Out of the 2008 roster of Fortune 500 companies, a mere 202 appear to be using any of the forgery countermeasures provided by SPF, DKIM, or similar implementations. This poses a stark contrast to Sendmail’s Survey, claiming some 90% of Fortune 1000 companies, suggesting a sharp decline from Sendmail’s reported 282 companies. To make sure our results were accurate, we decided against using a random sampling and instead put together a list of all 500 primary domains used by the Fortune 500 and query them.
Our techniques used to determine a domain’s status were the same as Sendmail’s, with the exception of the SenderID test. Sendmail’s SenderID test polled for ‘v=spf2′ in the TXT record, while our test checked for both ‘v=spf2′ and ’spf2.0′. This was done to account for any confusion caused by Microsoft’s SPF wizard, which, for a while, generated configurations using v=spf2. To ensure that we didn’t miss any Fortune 500s using SenderID, we’ve scanned for both in our tests.
Our criteria was as follows:
- SPF v1: Check for domain TXT record containing ‘v=spf1′
- SPF v2 (SenderID): Check for domain TXT record containing ’spf2′ or ‘v=spf2′ (also includes all matches to 2.0 and variants)
- DomainKeys w/SSP: Check for _domainkey TXT record
- DKIM w/SSP: Check for _policy._domainkey or _ssp._domainkey TXT record
- DomainKeys or DKIM (without SSP): Check for _domainkey zone with no subsequent TXT record
The breakdown of results were as follows:
- SPFv1: 166
- SPFv2: 1
- DK/SSP: 21
- DKIM/SSP: 51
- DK/DKIM No SSP: 0
- Domains running both: 37
A mere 202 companies, when you account for the companies running both technologies - 40% of the Fortune 500. To make matters worse, only 65 of the 167 companies using SPF included the -all policy, which causes a fail result to be sent if the IP address is not found explicitly in the policy. The breakdown of “all” policy is as follows:
- SPF -all: 65
- SPF +all: 1
- SPF ~all: 83
- SPF ?all: 16
Other observations include:
- Most financial institutions and credit card companies were set up to use SPF, however we still found some very well known banks using neither. This was quite surprising as these were institutions that had been targeted for phishing attachs on several occasions.
- A total of 44 of the Fortune 500s were found to have a sign-on located on their main page (we did not scan deeper). We determined this by looking for a form field designated as a password type field. Out of those 44, only half were using one of these tools.
Overall, most of the well known Fortune 500s who touch the technology world were using forgery countermeasures of some sort, and that’s where the rubber meets the road. These are, by far, the most likely targets of phishing and spoofing attacks. It is important, however, for the rest of the companies to consider these measures in an ever-increasing arena for fraud. Configuring SPF can be done effortlessly in about twenty minutes for most companies.
Back to TrustedSource™ Blog overview
