Unmasking Lazy Gatekeepers: What 12 Million SPF Records Reveal About Email Security

Share This Post

Recent research by email security experts at Technische Universität Berlin reveals how millions of domains worldwide are undermining their email authentication through widespread SPF misconfigurations caused by inherited defaults and overly permissive historical settings.

While attention among email experts these days is increasingly focused on newer standards like DMARC and BIMI, foundational protocols such as SPF remain critical to securing email infrastructure. The Sender Policy Framework (SPF), a long-standing standard in email authentication, plays a key role in preventing phishing, spoofing, and malware. Yet recent research suggests that widespread misconfiguration and overly broad authorisations may be undermining its effectiveness, particularly so when inherited defaults go unchecked.

Worse still some of the biggest senders in the email space seem to display significant inherited risk due to permissive historical defaults in their approach to SPF and how it is implemented. The large-scale study titled “Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild”, by Stefan Czybik, Micha Horlboge, and Konrad Rieck of Technische Universität Berlin, examines SPF configurations across 12 million domains.

While provocatively titled, ‘Lazy Gatekeepers’ refers to systemic configuration risks rather than individual negligence. The findings point to increasing adoption, but also systemic issues that create opportunities for abuse. It failed to properly address how large providers often face the challenge of balancing broad compatibility, ease of deployment, and security, especially across millions of legacy domains.

SPF Adoption Is Growing, But So Are Security Gaps

The study reveals significant progress in SPF adoption over the past decade. In 2014, only 37% of Alexa’s top 1 million domains had SPF records. By 2023, that figure had risen to 60.2% among Tranco’s top 1 million domains, and 56.5% across the full 12 million studied.

However, adoption alone doesn’t equate to security. The researchers found that 2.9% of SPF records are misconfigured, ranging from syntax errors to ineffective rules that trigger validation failures. These seemingly small issues can render SPF checks meaningless and allow malicious actors to bypass authentication.

Lax Policies Undermine the Value of SPF

One of the study’s most concerning findings is the widespread use of extremely permissive SPF configurations. More than a third of domains examined, 34.7% authorise over 100,000 IP addresses to send mail on their behalf.

This level of leniency dramatically increases the risk of email spoofing. The root of the issue often lies in the liberal use of the include mechanism, which incorporates sender IP ranges from external SPF records. While this is useful for integrating third-party services, it can also delegate trust far too broadly.

Who’s Being Included? Outlook, Google, GoDaddy, and Others

The report highlights the role of major providers in enabling these expansive configurations. Their SPF records are frequently included by customers, resulting in the indirect authorisation of hundreds of thousands of IP addresses:

  • spf.protection.outlook.com (Microsoft): included by 2.45 million domains; authorises 491,520 IPs
  • _spf.google.com (Google): included by 1.42 million domains; authorises 328,960 IPs
  • websitewelcome.com (Hostgator resellers, white labels and dedicated servers): included by 414,695 domains; authorises 1,088,784 IPs
  • secureserver.net (GoDaddy): included by 374,986 domains; authorises 505,104 IPs
  • sendgrid.net: included by 215,497 domains; authorises 220,672 IPs

Those are the numbers as recorded at the time of the report being published. Emailexpert did check to see if there has been any significant improvement since this was published, but none was found.
While these large IP ranges may be necessary for providers with distributed infrastructure, blanket inclusion can sometimes lack the granularity or review required for secure operation, particularly on low-traffic or legacy domains.

Real-World Consequences: Spoofing for €30

To test the practical impact of these misconfigurations, the researchers rented low-cost shared hosting accounts. Using these servers, they successfully sent spoofed emails from 26,095 domains, many of which belonged to political parties, lobby groups, financial institutions, and healthcare organisations.

This exploit was possible solely because the hosting provider’s IP address had been implicitly authorised by the target domain’s permissive SPF record. In essence, SPF was technically in place, but its broad scope meant it failed to deliver the intended protections.

A Path Forward: Stricter Policies and Operator Education

The study emphasises a need for balance between usability and security. Many operators adopt relaxed policies to avoid mail delivery issues or to simplify configuration across multiple senders. But the evidence shows these trade-offs often go too far.

The researchers didn’t stop at observation, they launched a notification campaign targeting more than 111,000 affected domains. Within two weeks, 6,931 SPF errors had been corrected, demonstrating that many issues stem from oversight, not malicious intent.

Their recommendations are clear:

  • Domain owners should scrutinise includes and avoid authorising unnecessarily broad IP ranges.
  • Providers should apply stricter outbound policies and help users configure SPF more securely.
  • The industry must treat SPF not as a checkbox but as a configurable control with real security implications.

Final Thoughts

The battle against email spoofing depends on robust, properly implemented sender authentication. As this research shows, misconfigured SPF records—especially those that delegate trust too broadly—create opportunities for abuse that threat actors are quick to exploit.

The “lazy gatekeeper” is not a metaphor, it’s a measurable risk factor. For SPF to fulfil its potential, domain owners, service providers, and hosting companies must be more deliberate and security-conscious in how they configure and maintain their records. The “lazy gatekeeper,” as framed by the study’s authors, reflects quantifiable configuration trends, not necessarily a comment on individual operators’ diligence.

Email Expert Blogs

Subscribe To Our Newsletter

Get updates and learn from the best

More Email News To Explore