DANE for e-mail: what is it and why do you need it?
The threat from mail abuse is often underestimated
When they come across domain names resembling their brands, brand owners often decide not to act in cases where the domain name doesn't seem to be in use. In other words, where there's no website linked to the name. What people tend to overlook is that, even though a domain name has no website, scammers may be using it for sending spam or for CEO fraud. Recently, however, several major incidents have highlighted the problem of mail fraud and the importance of securing business mail.
One of the internet standards to benefit from the upturn in interest is DANE (RFC 7671). Although the standard has been around for a while, there was exponential growth in DANE use in the Netherlands during 2019. Short for DNS-based Authentication of Named Entities, DANE is a protocol for secure publication of public keys and certificates. The standard utilises the cryptographically secured DNS infrastructure provided by DNSSEC. In other words, when used with other standards, DANE for mail prevents mail falsification by verifying the sender's details.
Many users, including experienced CISOs, struggle to secure e-mail, because it depends on implementing various mutually complementary standards. As well as DANE, you need to be using SPF and DKIM for the set-up to work. Furthermore, DANE's rapid adoption in the Netherlands has been possible only because the open security standard DNSSEC is in such widespread use here. Nevertheless, getting to grips with e-mail security is worthwhile for CISOs, because mail fraud can cost victims millions.
Want to know more?
You'll find an extensive set of FAQs about DANE on sidn.nl. And last year we did a webinar about e-mail security and DANE, which is still available to watch here. Finally, SIDN Labs often publishes articles about open standards such as DANE. Visit https://www.sidnlabs.nl/ to see what's available.