The critical role played by email has led to a range of extension protocols
(e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email
sender domains. These protocols are complex as is, but are further complicated
by automated email forwarding -- used by individual users to manage multiple
accounts and by mailing lists to redistribute messages. In this paper, we
explore how such email forwarding and its implementations can break the
implicit assumptions in widely deployed anti-spoofing protocols. Using
large-scale empirical measurements of 20 email forwarding services (16 leading
email providers and four popular mailing list services), we identify a range of
security issues rooted in forwarding behavior and show how they can be combined
to reliably evade existing anti-spoofing controls. We show how this allows
attackers to not only deliver spoofed email messages to prominent email
providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof
email on behalf of tens of thousands of popular domains including sensitive
domains used by organizations in government (e.g., state.gov), finance (e.g.,
transunion.com), law (e.g., perkinscoie.com) and news (e.g.,
washingtonpost.com) among others