DNS-Based Secured Email

Download the Practice Guide

The NCCoE has released the final version of NIST Cybersecurity Practice Guide SP 1800-6, DNS-Based Secured Email. Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »


Driven by low costs and fast delivery, private and public sector organizations continue to rely on email as the dominate method of electronic communications. Securing these transactions has been less of a priority, which is one reason why email attacks have increased.

Whether the goal is authentication of the source of an email message or assurance that the message has not been altered by or disclosed to an unauthorized party, organizations must employ some cryptographic protection mechanism. Economies of scale and a need for uniform security implementation drive most enterprises to rely on mail servers and/or Internet service providers (ISPs) to provide security to all members of an enterprise. Many current server-based email security mechanisms are vulnerable to, and have been defeated by, attacks on the integrity of the cryptographic implementations on which they depend. The consequences of these vulnerabilities frequently involve unauthorized parties being able to read or modify supposedly secure information, or introduce malware to gain access to enterprise systems or information. Protocols exist that are capable of providing needed email security and privacy, but impediments such as unavailability of easily implemented software libraries and operational issues stemming from some software applications have limited adoption of existing security and privacy protocols.

To address this cybersecurity challenge, NCCoE security engineers developed an example solution that allows an organization to improve email security and defend against email based-attacks such as phishing and man-in-the-middle types of attacks with minimal impact to email service performance. Using open source and commercially available technologies, this practice guide demonstrates a security platform that provides trustworthy email exchanges and tools that help organizations to encrypt emails between mail servers, allow individual email users to digitally sign and/or encrypt email messages, and allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Fraunhofer IAO logo
Internet Systems Consortium logo
Microsoft logo
NLnet Labs logo
Secure64 logo