Domain Name Systems-Based Electronic Mail Security

Date Published: November 2016
Comments Due: December 19, 2016 (public comment period is CLOSED)
Email Questions to: dns-email-nccoe@nist.gov

Author(s)

Scott Rose (NIST), William Barker (NIST), Santos Jha (MITRE), Chinedum Irrechukwu (MITRE), Karen Waltermire (NIST)

Announcement

NIST announces the release of draft Special Publication 1800-6, Domain Name Systems-Based Electronic Mail Security. NIST welcomes your comments and feedback (see links below for clinks to all supporting documentation for this draft).

Both public and private sector business operations are heavily reliant on email exchanges, leading to concerns about email security and the use of email as an attack vector. Organizations are motivated by the need to protect the integrity of transactions containing financial and other proprietary information, and to protect the privacy of employees and clients. Cryptographic functions are usually employed to perform services such as authentication of the source of an email message, assurance that the message has not been altered by an unauthorized party, and to ensure message confidentiality. Most organizations rely on mail servers to provide security at an enterprise level in order to provide scalability and uniformity. However, many server-based email security mechanisms are vulnerable to attacks involving faked or fraudulent digital certificates, otherwise invalid certificates, and failure to actually invoke a security process as a result of connection to (or through) a fraudulent server. Even if there are protections in place, some attacks have been able to subvert email communication by attacking the underlying support protocols such as Domain Name Systems (DNS). Attackers can spoof DNS responses to redirect email servers and alter email delivery. DNS Security Extensions (DNSSEC) was developed to prevent this. DNSSEC protects against unauthorized modifications to network management information and host IP addresses. DNSSEC can also be used to provide an alternative publication and trust infrastructure for service certificates using the DNS-based Authentication of Named Entities (DANE) resource records.

SP 1800-6 describes several demonstrated security platforms using DNS, DNSSEC, and DANE for trustworthy email exchanges across organizational boundaries. The security platforms described provide reliable authentication of mail servers, digital signature and encryption of email, and reliable binding of cryptographic key certificates to sources and servers. The example solutions and architectures presented are based upon standards-based open-source and commercially available products.

Control Families

Access Control; Incident Response; System and Communications Protection; System and Information Integrity