Securing E-mail Security with just a few Measures

Laptop mit Icons in der Luft von E-Mail Sicherheit

E-mail Security for .ch Domains: Closing and protecting Gaps

E-mail security is a central component of everyday digital life and affects both private individuals and companies. The Swiss Domain Security Report Q4 2023 highlights current trends and gaps in the email security of .ch domains. It shows that it is possible to significantly increase security with relatively simple measures.

Both Google and Yahoo have tightened their email security policies and require the implementation of SPF, DKIM and DMARC entries. It's time to review and update your domain security measures to effectively protect yourself from email threats. In just a few steps, we will show you all the possible approaches and how you can increase your e-mail security.

SPF

Sender Policy Framework

Since 2003, SPF has offered the option of using a policy to define which mail servers are authorized to send e-mails for a specific sender domain. Although many companies already have SPF entries, these are often outdated. Around 30% still use a softfail (~all) instead of the more secure hardfail (-all). A few domains even have multiple SPF entries, which leads to errors.

DKIM

Domain Keys Identified Mail

DKIM has existed since 2011 and makes it possible to sign e-mail headers using the public key method. In simple terms, DKIM enables the receiving mail server to check whether the e-mail headers have been manipulated during transmission.

Activating DKIM in Microsoft 365 is simple: Just create two DNS CNAME records per domain. So create the two DNS CNAME records and it can be activated in Exchange Online.

DMARC

Domain-based Message Authentication, Reporting and Conformance

DMARC has existed since 2015 and relies on existing technologies such as SPF and DKIM. This publishes a policy that determines what happens to an e-mail message. It also enables comprehensive reporting. To do this, you need a DMARC reporting provider such as DMARC Advisor or Easy DMARC. This results in a feedback loop with which the SPF and DKIM entries can be checked and hardened.

Since April 2023, Exchange Online has also been sending DMARC reports, which has led to massively improved report insights. Currently, only around 11% of .ch domains have a DMARC entry. Around half of these are in reporting mode (p=none).

DANE

DNS-based Authentication of Named Entities

Since 2015, DANE has published the hash of the mail server's certificate with a TLSA entry. This allows a sending mail server to check whether the receiving mail server offers the correct TLS certificate and prevent «man in the middle attacks». However, this requires the domain to be secured with DNSSEC, which is already the case for almost half of .ch domains. You should also check whether your DNS provider supports TLSA entries.

MTA-STS

SMTP MTA Strict Transport Security

Since 2018, MTA-STS has allowed the publication of a policy that ensures the secure sending of e-mails via TLS1.2. If the sender supports MTA-STS, the email message is sent via TLS1.2. This must include a public certificate with the SubjectName or SubjectAlternativeName (SAN) of the hostname from the MX record. This is particularly useful for domains that are not yet secured with DNSSEC. There is currently an increasing trend towards MTA-STS.

Our customers also rely on MTA-STS. We were recently able to successfully protect the domains of SBB with MTA-STS and drew a positive conclusion after a short time.

TLSRPT

SMTP TLS Reporting

TLSRPT, also available since 2018, allows you to set up the reporting of TLS problems when sending SMTP - similar to DMARC. This supports the monitoring of DANE and MTA-STS protected domains. Here a TLSRPT provider is required, which prepares the data.

Implementing these measures can significantly increase your e-mail security. Check your domains and bring them up to the latest security standard to arm yourself against the increasing threats in the digital space.

If you have any further questions or require assistance, we will be happy to help.