"People should be able to trust e-mail from their local authority"

The Registrar Scorecard

Launched in 2015, the Registrar Scorecard is an incentive scheme, through which we reward registrars for contributing to the quality of the .nl zone. The scheme's purpose is to encourage registrars to make improvements in four key areas: active use, IPv6, security and contact data validity. With hundreds of participating registrars, the Scorecard is proving to be a great success. As well as financial incentives (worth € 1.3 million in 2017), participating registrars are given bespoke reports packed with data about their portfolios. This year, we are broadening the scheme with a view to boosting the adoption of the StartTLS, SPF, DKIM and DMARC e-mail standards.

Vulnerable system

Spam and phishing account for a very large proportion of all e-mail traffic. Most estimates put the figure at about 90 per cent of messages sent. Unfortunately, the e-mail system is easy to abuse. "E-mail is based on old protocols that are easy to hack," explains SIDN's Technical Advisor Marco Davids. "If you know a bit about computers, it doesn't take long to work out how to send mail using someone else's address."

Four standards

Each of the four promoted standards protects a particular vulnerability in the e-mail system. It isn't therefore enough to use one of the standards on its own: effective protection against abuse depends on all four standards being used together.

StartTLS

StartTLS is a protocol for encrypting traffic between mail servers. That's equivalent to making traditional letters tamper-proof on their way between sorting offices. With StartTLS, crooks find it much harder to intercept e-mail messages, alter them or inject malware.

SPF

SPF (Sender Policy Framework) is a system that allows a list of trusted IP addresses to be added to the DNS. So receiving systems know which mail servers are authorised to send mail for the domain in question. Mail from non-listed IP addresses can then be rejected or sent to the recipient's spam folder. The use of SPF greatly reduces the amount of spam and phishing mail getting delivered. 

DKIM

With DomainKeys Identified Mail (DKIM), a unique digital signature is added to various parts of an e-mail. The recipient can then check the signature using a public key. If the signature is valid, the recipient knows that the e-mail really comes from the named sender and hasn't been modified in transit. Large-scale mail service providers such as Google and Microsoft assign lower trust scores to domains that don't use DKIM. If a domain has a poor reputation, it's liable to get added to a spam list.

DMARC

When DKIM and SPF are used, receiving servers can decide whether to deliver individual messages. However, the sender has no influence over the decision-making. That's where DMARC comes in: it allows a sender to publish a policy with a view to preventing abuse of their domain name. For example, the sender might advise receiving servers to reject e-mails without valid DKIM signatures, or to deliver them as spam. DMARC is therefore very useful for domain names that aren't used for e-mail, e.g. parked domain names. The administrator of such a domain name can indicate that all mail should be rejected, for instance. DMARC also requires that the sender named on an e-mail's 'envelope' is the same as the sender named in the e-mail itself. Comparing e-mail to traditional post again, DMARC involves a procedure for checking that the 'From' details on the outside of a letter match those at the top of the letter itself. That helps to reduce spoofing and makes phishing harder.

Municipality of The Hague

All four standards are on the use-or-explain list published by the Forum for Standardisation and backed by the Dutch government. As a result, all public-sector organisations have to use them unless they have strong reasons for not doing so. The Municipality of The Hague recently rolled out the four recommended standards. The municipality's Security Architect Peter van Eijk said, "We're not doing this simply to fulfil our 'use-or-explain' obligations. Our main aim is to be a trustworthy municipality, because people should be able to trust e-mail from their local authority."

Policy formulation is the challenge

Technically speaking, rollout of the standards has been relatively straightforward. "It's a simple box-ticking procedure," continues Peter van Eijk. However, while implementing a DMARC policy is easy, deciding what policy to implement can be time-consuming. Because every option has implications. "Our ultimate aim is to filter out untrustworthy domains, while also ensuring that legitimate mail isn't wrongly rejected, to the detriment of the local community."

Personalised dashboards

The Hague is currently working on a DMARC policy, for which the municipality is making grateful use of DMARC's reporting function. "Using the reported data and a dashboard developed in house, we are able to generate queries in order to map the impact of various policy lines," says Peter van Eijk. "Ultimately, we need to make appropriate arrangements with everyone that sends e-mail for the municipality so that we can label them as trusted senders, for example. The DMARC reports provide a clear picture of the number of service providers involved, and who they are. It turns out that there are quite a few! Tracking down the right person to speak to is perhaps the hardest part of it."

Ambassador

The Municipality of The Hague has recently become a real ambassador for DMARC and the other standards. So, for example, a delegation from the National Cyber Security Centre dropped by to learn more about the DMARC dashboard that the municipality has developed. The Hague is happy for others to use the software and will be sharing its knowledge with other municipalities.