Improving Internet Security through Empirical and Qualitative Studies of Email and DNS Ecosystem

Abstract

Email and the Domain Name System (DNS) remain foundational pillars of Internet communication, yet their security mechanisms continue to suffer from subtle design limitations, operational misconfigurations, and systemic fragility. This dissertation presents an empirical, measurement-driven exploration of the global email and DNS security landscape, identifying recurring patterns of misconfiguration, evaluating the real-world efficacy of recent protocol defenses, and proposing practical tools to enhance their resilience. First, we examine email sender authentication, focusing on the large-scale deployment and operational correctness of Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Drawing from over 12 months of longitudinal data encompassing 176 million domains, our study exposes widespread evaluation inconsistencies and misconfigurations that undermine authentication integrity and email deliverability. We further uncover novel attack vectors, including exploitable DNS amplification pathways within major email providers and open-source SPF validators, emphasizing the systemic risk of these seemingly mature defenses. Next, we turn to email transport security, analyzing the adoption and robustness of the SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) protocol introduced by major providers such as Google and Microsoft. Despite its reliance on the well-established web PKI ecosystem, we find that 28% of MTA-STS enabled domains exhibit configuration flaws that nullify the intended transport-layer protections, underscoring the practical challenges of achieving secure email delivery even under modern standards. Finally, we investigate DNS security through the lens of DNSSEC deployment. Leveraging over 1M diagnostic records from DNSViz, we systematically classify the most frequent DNSSEC configuration errors, explore their persistence over time, and trace their operational root causes. To address these challenges, we introduce DFixer, an automated offline repair tool that aggregates cascaded error codes into root causes and generates both high-level remediation guidance and corresponding BIND command sequences. Experimental evaluation with a purpose-built erroneous zone replicator demonstrates that DFixer can automatically repair 99.99% of observed DNSSEC errors within seconds. Together, these studies reveal the gap between the theoretical robustness of Internet security protocols and their practical deployment realities. By combining large-scale empirical measurement, vulnerability analysis, and automated remediation, this dissertation advances our understanding of Internet infrastructure security and provides actionable paths toward more reliable, verifiable, and self-healing email and DNS ecosystems.