This draft guide includes recommendations for the deployment of domain-based authentication protocols for email as well as end-to-end cryptographic protection for email contents. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain (Sender Policy Framework) (SPF), DomainKeys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Email content security is facilitated through encryption and authentication of message content using S/MIME and/or Transport Layer Security (TLS) with SMTP.
Following a description of the general email infrastructure and a threat analysis, these guidelines cluster into techniques for authenticating a sending domain, techniques for assuring email transmission security and those for assuring email content security. The bulk of the security enhancements to email rely on records and keys stored in the Domain Name System (DNS) by one party, and extracted from there by the other party. Increased reliance on the DNS is permissible because of the security enhancements there, in particular the development and widespread deployment of the DNS Security Extensions (DNSSEC) to provide authentication and integrity protection of DNS data.
This revision was produced to include a new appendix with a FISMA overlay. This overlay is for administrators of email systems that fall under FISMA and includes references to relevant guidance on specific FISMA controls and how they apply to various email system components.