Email Security Warning: Misconfigured Security Records Endanger Domains

By Greg Tavarez June 21, 2023

No matter how often the topic comes up, the significance of cybersecurity cannot be overstated. Online territories are now battlegrounds, and email is one of the primary targets set by bad actors.

As per the reports from the Internet Crime Complaint Center of the FBI, phishing stood out as the most prevalent form of cybercrime in the year 2020, and the frequency of phishing attacks has shown a consistent increase over time. It is worth noting that cybercriminals have repeatedly demonstrated their ability to breach even the most prestigious and secure domains.




Phishing tactics feed on trust, leveraging the perceived security associated with familiar domain names. Unsuspecting users may unquestioningly trust an email originating from a .gov, .edu or well-known .com domain. Regrettably, this trust can be exploited by malicious actors if proper domain security measures are not in place.

Stratus Security took a deeper dive into these phishing tactics with a focus on email security, specifically sender policy framework, SPF, and domain-based message authentication, reporting and conformance (DMARC), two critical email security measures.

Correct configuration of these measures prevents unauthorized parties from sending emails using a domain's identity.

However, the Stratus Security study uncovered widespread misconfigurations leaving domains open to exploitation. This included highly sensitive government and education domains and commercial entities. To put it into perspective, 68% of government websites and 83% of education sites can potentially be phished. This includes the likes of North Korea's sole domain in the study, the Ministry of Foreign Affairs.

Stratus Security's researchers also found that misconfigurations potentially allows malicious actors to send emails appearing to come directly from these domains. The more worrying cases were domains tagged with '+all' in their SPF records, essentially inviting anyone to send emails as that domain, with no indications of phishing. One such domain was the Greek public employment service (dypa.gov.gr), making it possible for anyone to send an email posing as an official communication from this institution.

"Phishing attacks rely on trust. When an email appears to come from a reputable source, users and businesses are much more likely to engage with its content,” said Stratus Security Chief Technology Officer Colin Watson. “That's why these misconfigurations present such a risk. It's essentially rolling out a red carpet for threat actors to exploit."

Misconfigurations in SPF and DMARC records, particularly those that make a domain phishable, appear to be more common across a wide range of institutions and countries than most thought. That said, strategies are needed to address these security vulnerabilities:

  • Ensure correct SPF and DMARC records: The first step is to review and correct SPF and DMARC records. Special attention should be given to avoiding configurations that can make the domain vulnerable to phishing attempts. Configuration options such as "+all" or "?all" in SPF records, as well as invalid DMARC settings, should be avoided.
     
  • Regular audits and testing: Regular audits of email security configurations are crucial to identify any misconfigurations or vulnerabilities. Employing reputable testing tools to regularly test SPF, DKIM, and DMARC functionality is necessary to ensure they are functioning as intended.
     
  • Training and awareness: It is important to educate the team about the significance of email security and the risks associated with misconfigured SPF and DMARC records. Raising awareness among team members enables them to be more vigilant in preventing such misconfigurations.
     
  • Seek expert assistance: For individuals or organizations lacking technical expertise, it is beneficial to seek the assistance of cybersecurity experts or firms. Experts can provide guidance on configuring SPF and DMARC records or improving overall email security.

By taking proactive measures, organizations bolster their email security.




Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE

The PBX Isn't Dead: It's Becoming the Operating System for Revenue Growth

AI-powered voice agents are transforming the traditional business phone system into an intelligent orchestration platform designed to drive enterprise revenue growth.

Read More

The Forgotten 70%: Enterprise Communication Is Finally Catching Up to the Deskless Workforce

8x8 Resolve is a new mobile-first critical communications and incident management platform designed to help enterprises reach deskless workers across SMS, voice, WhatsApp, and mobile app channels while improving acknowledgment tracking and auditability.

Read More

When Seconds Matter, Estonia Is Making Sure the Warning Gets Through

Estonia is expanding its EE-ALARM public warning system with end-to-end Cell Broadcast and hybrid alerting capabilities designed to deliver faster, more resilient emergency communications nationwide.

Read More

From Artisan Roots to Global Ambition, Robertet Is Building the Network Foundation for Manufacturing, Compliance, and AI

Robertet has selected GTT Communications to modernize connectivity across 50 global sites, building a more resilient network foundation to support manufacturing operations, regulatory compliance, cloud systems, and AI-driven innovation.

Read More

The Channel Advantage: How Industry Recognition Helps Companies Recruit, Retain, and Grow Partners

The 2026 INTERNET TELEPHONY Channel Excellence Awards recognize communications and technology companies delivering partner-first channel programs built around enablement, recurring revenue, cloud communications, AI, cybersecurity, and long-term MSP and advisor success.

Read More