Sharp rise in use of DMARC, SPF, DKIM and DANE for mail
DNSSEC as a basis for secure mail transmission
With the cryptographic DNSSEC infrastructure firmly established, great progress is now being made securing the transmission of e-mail traffic. DANE is increasingly well supported by e-mail software. And, here in the Netherlands, the government is proving to be a committed driver of DMARC, SPF and DKIM implementation.
Tim Draegen, co-inventor of the DMARC standard, recently received a certificate from the government in recognition of DMARC's addition to the 'use-or-explain' list. Since then, government and semi-government organisations have been obliged to implement the standards when procuring new ICT systems and services. What's more, according to the latest Joint Ambition Statement, the aim is to adopt the strictest DMARC setting ('p=quarantine' or 'p=reject') for all government domains by the end of 2019.
DANE for mail
Meanwhile, mail software developers are continuing to work on the implementation of DANE, a cryptographic technique for anchoring TLS certificates in the mail system. For example, port25 recently announced that it had implemented DANE validation (for outgoing mail) in version 5.0 of its PowerMTA bulk-mailer. Manvendra Bhangui, lead developer of the IndiMail MTA, added DANE validation to release 2.5 of the program last spring.
The Forum for Standardisation is now investigating whether DANE validation for outgoing mail and DANE certificate pinning for incoming mail should also be added to the 'use-or-explain' list. At the start of this year, the European Commission recognised DANE for both mail and the web as an official standard for use in procurement.