How can we make email more secure and trusted? How can we encrypt all email between mail servers? And how can we use DANE and DNSSEC to provide that added layer of security?
Today the U.S. National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology released a "draft practice guide" exploring those exact questions. Titled "Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6)" the document offers guidance to enterprises and others into "how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks." Specifically it gets into how DNSSEC and DANE can be used to authenticate server addresses and the Transport Layer Security (TLS) certificates used for confidentiality.
As NIST states on their web page, the goal of the project around this publication is:
- Encrypt emails between mail servers
- Allow individual email users to digitally sign and/or encrypt email messages
- Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages