We are conducting a study to understand how well and secure email systems are configured. For that, we need to receive emails from as many different mail providers around the world as possible.
This is where you can help! Just send us an email to our measurement addresses via the instructions below! We are especially looking for smaller providers, not Gmail, Office365, or hotmail. In case you have access to multiple email providers, please send a message from each of them! If you want further information on what we do with the data, and how long we store what, please click here.
Send Email to Helpmeasurement@v4-mail.measurement.email-security-scans.org,
measurement@v6-mail.measurement.email-security-scans.org,
measurement@v6-mail.v6only.measurement.email-security-scans.org,
measurement@v4-mail.v6only.measurement.email-security-scans.org,
measurement@v6-mail.dnssec-broken.measurement.email-security-scans.org,
measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org,
measurement@v4-mail-greylisting.measurement.email-security-scans.org,
measurement@v6-mail-greylisting.measurement.email-security-scans.org,
measurement@mail-tls-force.measurement.email-security-scans.org,
measurement@mail-tls-invalid.measurement.email-security-scans.org,
measurement@mail-tlsa-invalid.measurement.email-security-scans.org
Existing studies on the maturity of email setups typically neglect the majority of mail setups out there. In fact, these studies tend to focus on providers located in countries that have concentrated power in deploying digital technologies and services, using, for example, Gmail, as measurement vantage points. This in turn has implications when major email providers start to use these results to justify enforcing certain security properties, thereby possibly excluding access by the diverse community of smaller operators. To counterbalance this situation, we need to understand how the global picture of email server configuration maturity looks, if there are differences between different actors, based on size, region, or other parameters, and--if so--why these differences exist, and how we can encourage more secure and standard compliant configuration across the whole ecosystem. Besides the obvious importance of widespread secure configuration, this centralized perspecitve risks email becoming another example of an open protocol effectively ending up becoming a walled-garden controlled by only a few major actors under the pretense of improving security. Hence, in this project, we want to investigate how well operators configure their email setups globally. This includes the use of TLS, DNSSEC, spam mitigation techniques, and the basics of proper email system setups.
For this purpose, we have to receive emails to our measurement addresses from a large and globally diverse set of email providers. We temporarily collect the email addresses that send emails to our servers and analyze the operational setup of the sending host and sender domain, i.e., the email infrastructure of your provider. This also includes a check on whether the server your provider sends from relays mail for everyone on the internet, i.e., acts as an open relay.
You may get notifications on mails not being delivered to us from your mail operator. We do not need a copy of these messages, and you can just delete them. If you want help in interpreting these notifications, please feel free to contact us. If your web interface prevents you from sending messages to individual destinations altogether, please feel free to remove those addresses from the message.
As soon as the measurements are complete, i.e., we collected emails from enough email setups, prior to analysis, we will remove the local part of the sending address. Note that, in case you use a personal domain, or one with only a handful of users, the domain itself identifies you. This means that you will remain personally identifiable in that case. If you have concerns about this, we ask you not to participate in this study. After the analysis, we will also anonymize all email setups and sender domains, e.g., 'Gmail' would become 'Large End-User Email Provider'. We will not share your personal email addresses with others, or name specific operators/domains in our publication of results. To understand the why behind configuration choices, and learn how to aid operators in improving the configuration of their email setups, we will conduct an independent interview study of operators. Recruitment will be independent from the data we collect in this study. The results of our study will be openly available to the Internet community. Note that you may receive notifications from your provider that some of the measurement emails cannot be delivered.
Any requests to delete your data i.e., mail address before the anonymization can be sent to t.fiebig@tudelft.nl and will be handled ASAP.
Contact UsIf you have any questions, send us an email and we will get back to you as soon as possible! The project is conducted by Olamide Omolola. The responsible principal investigator for the project is: