NIST SP 800-177 Revision 1: “Trustworthy Email”

The National Institute of Standards and Technology (NIST) has released its Security Publication (SP) 800-177 Revision 1, that includes security recommendations for achieving “Trustworthy Email.”

SP 800-177 Rev 1 includes updated guidelines for securing email communications, such as SPF, DKIM, DMARC and TLS encryption protocols.

At a high level, these protections provide better email spoofing and integrity protection, as well as enhanced encryption and authentication required to secure email systems.

An abstract of the Trustworthy Email standard document from the NIST website:

“This document gives recommendations and guidelines for enhancing trust in email. The primary audience includes enterprise email administrators, information security specialists and network managers. This guideline applies to federal IT systems and will also be useful for small or medium sized organizations. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain: Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Recommendations for email transmission security include Transport Layer Security (TLS) and associated certificate authentication protocols. Recommendations for email content security include the encryption and authentication of message content using S/MIME (Secure/Multipurpose Internet Mail Extensions) and associated certificate and key distribution protocols.”

The primary audience for the new Trustworthy Email document SP 800-173 Rev 1 includes enterprise email administrators, information security specialists and network managers.

A few of the notable recommendations from the document include SPF, DKIM and DMARC, among other email security best practices.

Sender Policy Framework (SPF)

SPF specifies which IP addresses are authorized to transmit email on behalf of domain. NIST says that SPF should be deployed with DNS security (or DNSSEC) for all DNS name servers to ensure source authentication and integrity and protection of DNS data.

Why use SPF? SPF is designed to address phishing and spam sent by unauthorized senders, similar to the other methods described in the next sections.

Do you use any third parties for sending your email such as cloud providers? If you do, NIST recommends organizations make sure any email sent by those third parties will pass SPF checks.

To do this, the enterprise email administrator should include the IP addresses of third party email senders in the enterprise SPF policy statement RR.

Implement DKIM

DKIM, short for DomainKeys Identified Mail, provides a method for validating the domain name identity that is associated with an email through cryptographic authentication or “signing” the email with a digital signature. DKIM is also used by organizations to detect spoofing and prevent phishing and email spam.

Currently, NIST recommends using DKIM with the following crypto key parameters: RSA/SHA-256 (note: not SHA1) with 2048 bits and lifetime of 1-2 years. Also, the Edwards-curve Digital Signature Algorithm Curve 25519 (ed25519) with 256 bit key length is also supported.

Similar to SFP, also deploy DNSSEC.

Mailing list software should verify DKIM signatures on incoming mail and re-sign outgoing email with needed DKIM signatures.

Mail sent to broadcast lists from “do not reply” or unmonitored mailboxes should also be signed with S/MIME signatures.

When using DKIM with cloud or contracted email services, organizations should generate a unique key pair for each third party or cloud service.

No private key should be shared between contracted services or cloud instances,” NIST added.

Implement DMARC

DMARC, or Domain-based Message Authentication Reporting and Conformance, allows the email sending domain owner, such as your company, to specify how receivers can verify the authenticity of the sender organization’s email, as well as how your organization (or the receiver) can handle email that fails to verify.

DMARC basically adds a link between the domain of the sender with the authentication results for SPF and DKIM.

According to the SP 800-177 Rev 1 guidelines, the sending domain owners who deploy SPF and/or DKIM are recommended to publish a DMARC record signaling to mail receivers the disposition expected for messages purporting to originate from sender’s domain.

NIST also recommends that mail receivers should dispose of received messages according to sending domain’s published DMARC policy. Initiate failure reports according to sending domain’s DMARC policies as well.

SP 800-177 Rev 1 also includes much more guidance for email administrators such as how to guard against email threats, protecting email confidentiality, reducing spam email and end-user email security to name a few.