Not that Simple: Email Delivery in the 21st Century

Authors: 

Florian Holzbauer, SBA Research; Johanna Ullrich, University of Vienna; Martina Lindorfer, TU Wien; Tobias Fiebig, Max-Planck-Institut für Informatik

Abstract: 

Over the past two decades, the number of RFCs related to email and its security has exploded from below 100 to nearly 500. This embedded the Simple Mail Transfer Protocol (SMTP) into a tree of interdependent and delivery-relevant standards. In this paper, we investigate how far real-world deployments keep up with this increasing complexity of delivery- and security options. To gain an in-depth picture of email delivery apart from the giants in the ecosystem (Gmail, Outlook, etc.), we engage people to send emails to eleven differently configured target domains. Our measurements allow us to evaluate core aspects of email delivery, including security features, DNS configuration, and IP version support on the sending side across different types of providers.

We find that novel technologies are often insufficiently supported, even by large providers. For example, while 65.4\% of email providers can resolve hosts via IPv6, only 44.3\% can also deliver emails via IPv6. Concerning security features, we observe that less than half (41.5\%) of all providers rely on DNSSEC validating resolvers, and encryption is mostly opportunistic, with 89.7\% of providers accepting invalid certificates. TLSA, as a DNS-based certificate verification method, is only used by 31.7\% of the providers in our study. Finally, we turned our eye to the impact modern standards have on unsolicited bulk email (SPAM). We found that greylisting is effective, reducing the SPAM volume by roughly half while not impacting regular delivery. However, and interestingly, SPAM delivery currently seems to focus on plaintext IPv4 connections, making IPv6-only, TLS-enforcing inbound email servers a more effective anti-SPAM measure – even though it also means rejecting a major portion of legitimate emails.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {280698,
author = {Florian Holzbauer and Johanna Ullrich and Martina Lindorfer and Tobias Fiebig},
title = {Not that Simple: Email Delivery in the 21st Century},
booktitle = {2022 USENIX Annual Technical Conference (USENIX ATC 22)},
year = {2022},
isbn = {978-1-939133-29-18},
address = {Carlsbad, CA},
pages = {295--308},
url = {https://www.usenix.org/conference/atc22/presentation/holzbauer},
publisher = {USENIX Association},
month = jul
}

Presentation Video