You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication

Conference:  BlackHat USA 2020



The presentation discusses the vulnerabilities in email protocols and the need for better security measures.
  • Email protocols should be designed to be implementation-friendly and simple to reduce complexities and avoid multi-party processing.
  • The user interface of email is not sufficient for security assurance, and users should not blindly trust email displays.
  • PGP is a more secure email mechanism that provides end-to-end authentication and a more robust identifier.
  • Efforts should be made to improve email security and implement better detection techniques.
The presenters tested 20 email services and 19 email clients and found inconsistencies between different components in the email processing chain. Even if DKIM, SPF, and DMARC are properly implemented, email can still be spoofed. The lack of visibility in clear text email on the wire makes it difficult to detect these vulnerabilities, but efforts should be made to improve email security and implement better detection techniques.


Our study demonstrates an unfortunate fact that even a conscientious security professional using a state-of-the-art email provider service like Gmail cannot with confidence readily determine, when receiving an email, whether it is forged. We identified 18 types of attacks to bypass email sender authentication (including SPF, DKIM, and DMARC). Leveraging those techniques, an attacker can impersonate arbitrary senders without breaking authentication and even forge DKIM-signed emails with a legitimate site's signature. We evaluated our attacks against 10 popular email providers (e.g., Gmail.com, iCloud.com) and 19 email clients (e.g., Outlook, Thunderbird), and found all of them proved vulnerable to various attacks. We reported our findings to the affected vendors, who rewarded our report and are actively addressing them. The root cause of the problem lies in insecure composition, a rising threat in today's distributed systems. The techniques we developed can be applied to identify similar vulnerabilities in other systems. We will make our testing tool publicly available via GitHub to aid the community in securing additional email systems.