Enhancing Email Security: A Collective Responsibility

As the digital world continues to evolve, email remains a cornerstone of both personal and professional communication. With an estimated 360 billion emails sent each day globally, it’s clear that email is here to stay. However, this widespread reliance on email comes with significant risks. Cybercriminals have turned email into one of the most vulnerable entry points for their attacks, including phishing, spoofing, and ransomware. In Germany alone, bitkom reported that cybercrime cost us 206 billion Euros last year, with email playing a pivotal role in many of these incidents.

This begs the question: why is email so vulnerable to attack? The simple answer lies in the fact that the core architecture of email was developed over 40 years ago, in the 1980s. At the time, cybersecurity wasn’t a priority, and email protocols weren’t designed to handle the sophisticated threats we face today. The challenge now is to retrofit this old technology with modern security solutions. The good news is that the tools we need already exist – we just need to make sure they are widely adopted and implemented effectively.

Everyone’s problem

When I think about email security, the first thing that comes to mind is just how pervasive email is. It is often the go-to medium for personal exchange or high-stakes corporate transactions. Its very ubiquity makes it a prime target for cybercriminals. A staggering 84% of phishing attacks are designed to steal login credentials, and two-thirds of spam emails are linked to cyberattacks. These statistics are not just alarming – they represent a direct threat to both individuals and businesses worldwide.

The reality is that email was never built with security in mind. Yet today, it remains one of the main gateways for malicious actors. It’s clear that email security can no longer be an afterthought. We need to move away from the mindset that securing emails is just the individual user’s responsibility. With millions of email users globally, it’s simply not realistic to expect each person to protect themselves against the myriad of cyber threats lurking in their inbox. The real responsibility lies with the organizations and service providers managing the infrastructure behind email.

Protecting the core: Email servers and authentication

One of the most effective ways to secure email communication is to focus on protecting the servers themselves. If we secure the infrastructure, we can prevent many of the common attack vectors from ever reaching the average user. One critical method for doing this is sender authentication, using the Sender Policy Framework (SPF) where domain owners list which servers are authorized to send emails on their behalf. This simple protocol helps recipients verify the origin of an email, ensuring it’s not coming from a malicious source.

Sender authentication is most effective when SPF is combined with DKIM and DMARC. DomainKeys Identified Mail (DKIM) allows email servers to sign outgoing messages with a unique key, which the receiving server can verify. This ensures that the message has not been altered and that it truly comes from the stated sender. When combined with Domain-based Message Authentication, Reporting & Conformance (DMARC), the recipient’s server is provided with clear instructions on how to handle unauthenticated emails. These protocols are not new, but they need to be adopted more widely if we are to significantly improve the security of email communications.

Another essential technology is DNS-based Authentication of Named Entities (DANE), which ensures that communication between email servers is encrypted. This prevents attackers from intercepting or altering the content of an email as it moves from one server to another – a crucial defense against “Man-in-the-Middle” attacks.

We have issued Technical Guidelines for Secure Email Transport (BSI TR-03108) and Email Authentication (BSI TR-03182). They both describe measures which enable email service providers to improve the level of security – without any additional effort for the users. As my colleague Kristina Pohl wrote in dotmagazine earlier this year, these guidelines serve as orientation for email service providers to ensure the measures they take are both fully effective and to avoid incompatibilities.

Collaboration is key

Securing email servers and adopting these technical solutions can go a long way toward reducing cyber threats, but no organization can achieve this alone. I firmly believe that collective action is our best defense. Many large email providers have already implemented these security protocols, but we need more widespread participation from businesses of all sizes.

At the BSI, we’ve been working closely with the eco Association, which represents key players in the Internet industry. Together, we aim to provide guidance and technical support to businesses, especially those that lack the technical resources or personnel to implement these protocols on their own. By sharing knowledge and resources through the Initiative for Secure Emails, we can raise the overall level of email security across the board.

End-to-end encryption: An ambitious but necessary goal

One of the questions I often get asked is about the potential of end-to-end encryption. While it’s true that this technology offers one of the most robust ways to secure email content, it’s not a silver bullet. Before we can think about encrypting every single email, we need to ensure that users can trust where their emails are coming from and the routes those emails take. In other words, we need to secure the pathways before we can secure the content. Once we’ve addressed these foundational issues, broader encryption solutions can be explored in earnest.

That said, I see Secure/Multipurpose Internet Mail Extensions (S/MIME) as a key step in the right direction. By signing emails with certificates, we provide a layer of trust between the sender and recipient, particularly in high-stakes environments like government agencies or corporate communications. As we build out these capabilities, I’m optimistic that end-to-end encryption will eventually become more commonplace.

Germany’s role in global email security

Germany has made significant strides in adopting email security protocols, but we still have a long way to go compared to other countries. For example, we need to improve our implementation of Domain Name System Security Extensions (DNSSEC) to match international standards. If we’re serious about improving our overall cybersecurity resilience, we must catch up.

This is why cooperation with industry associations like the eco Association is so important. They play a critical role in advancing secure email standards across Germany and beyond, and I’m optimistic that through our joint efforts, we can significantly reduce email-based threats like phishing and spoofing. The ultimate goal is to ensure that email communications originating from Germany are secure, setting a new standard for email security globally.

Looking beyond email: A broader cybersecurity vision

Email security is just one part of the broader cybersecurity challenge we face. As our reliance on digital communication and infrastructure grows, so too does the complexity of protecting it. It’s not enough to focus on one vector of attack. Cybersecurity must be approached as a national responsibility that involves every stakeholder, from policymakers to private citizens.

At the BSI, we’re committed to promoting secure email communication as part of a larger effort to protect Germany’s digital future. But the success of this effort depends on collaboration between government, businesses, and tech providers. Together, we can safeguard not just our email systems, but also the critical infrastructure and sensitive data that underpin modern society.

We need a collective effort

The protocols and technologies needed to secure email communication already exist. Now, it’s up to us to adopt them and make email security a priority. This will require a collective effort from businesses, government agencies, and email providers. If we work together, I’m confident that we can significantly reduce the risks posed by phishing, spoofing, and other email-based attacks.

I believe we can make real progress in improving email security across Germany. But we cannot afford to wait. The time to act is now. Email security is a shared responsibility, and together, we can make our digital world safer for everyone.

Claudia Plattner has been the President of the German Federal Office for Information Security (BSI) since 1 July 2023. She has more than 20 years of experience in IT functions for companies and institutions. Most recently, she served as the Director General for Information Systems at the European Central Bank and previously held a senior position as Chief Information Officer (CIO) of DB Systel GmbH, the internal IT service provider of Deutsche Bahn. Claudia Plattner holds a degree in mathematics (TU Darmstadt) and a master’s degree in applied mathematics from Tulane University (USA).