BSI: A little more e-mail security – and still room for improvement
The BSI and the industry associations are reporting the first successes of a joint campaign for more e-mail security. The providers are challenged.
Matthias Gärtner (BSI), Claudia Plattner (BSI), Prof. Norbert Pohlmann (eco), Susanne Dehmel (Bitkom)
(Image: BSI)
The German Federal Office for Information Security (BSI) and email service providers are reporting initial successes in a joint campaign for greater email security. Two BSI technical guidelines in particular are intended to ensure better security without end users having to do anything themselves.
Even more than 40 years after the first email was sent in Germany, email is "still the most important channel", said BSI head Claudia Plattner in Berlin on Friday. "Unfortunately, it is also the most important gateway for cyberattacks."
Sensitization not sufficient
From phishing and fake news to sabotage campaigns, email plays an significant role, said the BSI President. Although raising user awareness is important in many organizations, it is not enough on its own. This is precisely where the BSI's campaign to increase email security comes in.
Plattner presented the interim status of this campaign on Friday together with the industry associations and Bitkom. Norbert Pohlmann emphasized the relevance of email for Eco. Despite all the alternatives from Slack to Teams and Messenger, email is still the method of choice as it is a global player without dominant players.
However, Pohlmann sees a lot of room for improvement when it comes to security: "We have a real problem with our email infrastructure." Pohlmann, who also holds a professorship in IT security, believes that companies also have a duty to do much more.
Susanne Dehmel, Member of the Board at Bitkom, takes a similar view: "The responsibility should no longer be seen as lying solely with the recipients of the emails. Correctly implemented standards would help to significantly reduce the risks of phishing and spoofing, for example.
BSI asks for voluntary improvement
150 companies, mainly email providers, but also hosters, have voluntarily agreed to participate in this, said Plattner. Even without legal regulation, it is therefore possible to achieve an impact in practice.
From February 2025, the BSI carried out an inventory of the extent to which providers implement the recommended measures of technical guidelines 03108 and 03182.
Videos by heise
It found that only 20 percent of companies were using DNSSEC correctly, for example, and only 11 percent were using DNS-based name authentication (DANE). The BSI then actively contacted the companies – and by June the figures had already improved significantly. Numerous companies also came forward on their own initiative.
While the BSI publicly praises companies that have joined the initiative, it uses its legal powers on the other: a public list of email providers and their compliance with the BSI criteria. Apple's mac.com and me.com, for example, only fulfill five of the current seven BSI criteria, for example because old TLS versions are still permitted. The Bonn-based IT security authority also considers gmail.com, outlook.com and msn.com to be at the same level.
Encryption: BSI and associations agree
Even after more than 40 years, end-to-end encryption is something that e-mail cannot achieve across the board. However, if Pohlmann has his way, this should change. Currently, however, messengers such as Signal, Threema and Wire are commonly used – and at the same time under political attack. It is currently unclear how Federal Minister of the Interior Alexander Dobrindt will position himself in future debates on the possible breaking of encryption.
"We should first make sure that we secure ourselves, secure processes, secure companies," said Pohlmann. "We can't make our entire society more insecure on the chance that we can identify one percent of criminals." Bitkom also believes that encryption is the most important tool for secure communication, and this should not be compromised, emphasized Susanne Dehmel.
For BSI President Plattner, whose authority is largely subordinate to the Federal Ministry of the Interior, there is a clear technological view: "We must always ensure that we have secure infrastructures." End-to-end encryption is an important means of achieving this. Plattner warned of the possible consequences of artificially installed eavesdropping interfaces: Salt Typhoon had shown the risks associated with such approaches.
(mma)
