Today the U.S. National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology released a “draft practice guide” exploring those exact questions. Titled “Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6)” the document offers guidance to enterprises and others into “how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks.” Specifically it gets into how DNSSEC and DANE can be used to authenticate server addresses and the Transport Layer Security (TLS) certificates used for confidentiality.
As NIST states on their web page, the goal of the project around this publication is:
- Encrypt emails between mail servers
- Allow individual email users to digitally sign and/or encrypt email messages
- Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages
You can download the guide or sections of it from that web page.
NIST is seeking public comments on this new guide from today through December 19, 2016.
It’s great to see NIST publishing this document and we hope everyone reading this post will take a look and spread the word.
And if you are interested in getting started with DNSSEC and DANE, please visit our Start Here page to find resources to help.