Your Domain Security Score

Authentication: A correctly configured SPF record allows email recipients to verify the authenticity of an email and reduce the likelihood of spoofing or phishing.

Deliverability: An optimised SPF record increases the likelihood that emails will be successfully delivered as they are less likely to be classified as spam or fraudulent.

Reputation protection: A well-configured SPF record protects the domain from misuse by attackers and preserves the reputation of the domain as a trustworthy sender.

Trustworthiness: The correct configuration of an SPF record increases trust in email communication. If the SPF check is successful, recipients know that the email was actually sent from an authorised server and that the sender address is not forged.

Email filtering: A well-configured SPF record can help to ensure that emails are filtered more effectively. Email servers can perform SPF checks and mark emails from domains without a valid SPF record as suspicious or block them. This significantly reduces cyber risks for your organisation, but also for your customers and business partners.

An SPF record (Sender Policy Framework) is a DNS entry that is used to check the authenticity of the sender address of an e-mail. of an email. It enables email recipients to determine whether a received email was sent from an authorised authorised server or whether it could be a potentially forged or fraudulent message. message.

The SPF record works by defining a list of IP addresses or IP address ranges from which emails can be sent on behalf of a particular domain. may be sent on behalf of a specific domain. The receiving email server can then check the SPF record of the domain from which the email claims to originate and determine whether the sending server is on the list of authorised servers. list of authorised servers. If the SPF check is successful, this increases the probability that the email actually comes from a trustworthy source. If the SPF check fails or there is no SPF record, there is an increased risk that the email has been forged or sent from an unauthorised server. unauthorised server.

SPF is a component of numerous compliance requirements in regulations and guidelines:

• DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is an email authentication guideline that includes SPF as one of the supported technologies.
• BSI (German Federal Office for Information Security): The BSI recommends implementing SPF to improve email security.
• HIPAA (Health Insurance Portability and Accountability Act): HIPAA requires measures to ensure the confidentiality, integrity and availability of electronically transmitted health information, including secure email communications, which SPF can utilise.
• PCI DSS (Payment Card Industry Data Security Standard): The PCI DSS standard requires the implementation of security measures to protect payment information. SPF can help to reduce phishing attacks on email communications.

The implementation of SPF is required or recommended by various bodies and authorities:

• Internet Engineering Task Force (IETF): The IETF develops and promotes Internet standards and has published the SPF protocol in RFC 7208.
• M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group): M3AAWG is an organisation that deals with combating messaging abuse and email security and recommends the use of SPF.
• CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team): These organisations operate computer security infrastructures and recommend the implementation of SPF to improve email security.

SPF is based on the following regulations and standards:

• RFC 7208: This set of rules describes the SPF protocol and its specifications.
• DNS: SPF uses DNS records to define the authorised servers for sending emails.
• Sender ID: Sender ID is an older standard that is also based on SPF and was developed by Microsoft. was developed by Microsoft.

An optimised DMARC record offers the following opportunities and benefits:

• Stronger email authentication: By implementing a DMARC record, email recipients can verify the authenticity of an email and reduce the likelihood of phishing and spoofing attacks. email authenticity and reduce the likelihood of phishing and spoofing attacks.
• Protecting corporate reputation: A well-configured DMARC record protects the domain from misuse by attackers and misuse by attackers and preserves the reputation as a trustworthy sender.
• Improved deliverability: An optimised DMARC record increases the likelihood that emails will be delivered successfully as they are successfully delivered as they are less likely to be categorised as spam or fraudulent.

A DMARC record (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that is used to check the authenticity of emails and protect the sender. authenticity of e-mails and to protect the sender. DMARC is based on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) and enables stricter authentication of emails. The DMARC record contains guidelines on how receiving mail servers should handle emails that do not fulfil the SPF and DKIM checks.

The DMARC record also contains information on whether and how the domain owner should be informed in order to detect misconfigurations or abuse at an early stage.

A comprehensive list of compliance requirements, regulations and guidelines that require or recommend DMARC includes recommend, includes:

• BSI (German Federal Office for Information Security): The BSI recommends the implementation of DMARC to improve email security.
• GDPR (General Data Protection Regulation): The GDPR stipulates that personal data must be adequately must be adequately protected. DMARC can help to ensure the protection of personal data in emails.
• HIPAA (Health Insurance Portability and Accountability Act): HIPAA requires measures to ensure the confidentiality, integrity and availability of electronically transmitted health information, including secure email communications that DMARC can utilise.
• PCI DSS (Payment Card Industry Data Security Standard): The PCI DSS standard requires the implementation of security measures to protect payment information. security measures to protect payment information. DMARC can help to reduce phishing attacks on email communication.

Bodies and authorities that require or recommend DMARC are:

• IETF (Internet Engineering Task Force): The IETF develops and promotes Internet standards and has adopted the published the DMARC protocol in RFC 7489.
• M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group): M3AAWG is an organisation that deals with organisation that deals with combating messaging abuse and e-mail security and recommends the use of DMARC.
• CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team): These organisations operate computer security infrastructures and organisations operate computer security infrastructures and recommend the implementation of DMARC to improve email security. improve email security.

RFC 7489: This set of rules describes the DMARC protocol and its specifications.

SPF (Sender Policy Framework): DMARC builds on SPF and uses the SPF mechanism to authenticate the sender.

DKIM (DomainKeys Identified Mail): DMARC also integrates DKIM to verify the identity and integrity of emails.

An optimally implemented DNSSEC offers the following opportunities and advantages:

• Authenticated DNS responses: Users can be sure that the DNS responses they receive actually originate from the authoritative source and have not been manipulated.
• Integrity of DNS data: DNSSEC protects against DNS tampering and ensures that the DNS data received is unchanged. DNS data is unchanged.
• Trusted name resolution: DNSSEC minimises the risk of DNS spoofing and cache poisoning, minimises the risk of DNS spoofing and cache poisoning, resulting in a more secure and trustworthy Internet experience.
• Protection against man-in-the-middle attacks: DNSSEC makes it more difficult to carry out man-in-the-middle attacks because falsified DNS responses can be recognised.

DNSSEC stands for "Domain Name System Security Extensions" and is an extension of the DNS protocol. It serves to ensure the security and integrity of DNS resolution. DNSSEC utilises cryptographic mechanisms, to ensure the authenticity and integrity of DNS data.

DNSSEC works by using digital signatures to sign and verify DNS records. This establishes a chain of trust that ensures that the DNS data received has not been tampered with. By verifying the digital signatures, a client can be sure that the DNS responses received actually originate from the authoritative source and have not been modified by an attacker.

An extensive list of compliance requirements, regulations and guidelines that require or recommend DNSSEC includes recommend, includes:

• NIST Special Publication 800-53: The NIST framework contains recommendations for the security of information systems and recommends the use of DNSSEC as a protective measure for the integrity of name resolution. name resolution.
• PCI DSS (Payment Card Industry Data Security Standard): The PCI DSS requirements call for the use of DNSSEC for organisations that process payment card information to ensure the security and integrity of payment transactions. payment transactions.
• GDPR (General Data Protection Regulation): Although the GDPR does not explicitly mention DNSSEC, the use of DNSSEC can help to increase the security of personal data by preventing manipulation of the DNS resolution is prevented.
• ISO/IEC 27001: The ISO/IEC 27001 certification for information security management systems requires the implementation of appropriate controls to ensure the integrity of communication systems. DNSSEC can be seen as one such control.

An extensive list of bodies and authorities that require or recommend DNSSEC includes:

• Internet Engineering Task Force (IETF): the IETF has recognised DNSSEC as a standard and promotes its use to improve the security and integrity of the Domain Name System.
• Internet Corporation for Assigned Names and Numbers (ICANN): ICANN supports the dissemination of DNSSEC and has developed guidelines for the implementation of DNSSEC for top-level domains (TLDs).
• National Telecommunications and Information Administration (NTIA): The NTIA, a US government agency, has implemented DNSSEC for mandatory for all government .gov domains and promotes its use by other agencies.
• Regional Internet Registries (RIRs): RIRs such as RIPE NCC, ARIN and APNIC recommend the implementation of DNSSEC for operators of IP address spaces in order to increase the security of name resolution.
• Internet Society (ISOC): The ISOC supports DNSSEC as an important security measure on the Internet and promotes awareness and the use of DNSSEC through education and training.

This list does not claim to be exhaustive, but does show some important compliance requirements, regulations, guidelines, committees and authorities that promote or recommend the use of DNSSEC.

DNSSEC is based on various regulations and standards, including

• RFC 4033, 4034 and 4035: These RFCs define the basic specifications for DNSSEC and describe the cryptographic algorithms used to generate digital signatures.
• Public Key Infrastructure (PKI): DNSSEC uses PKI concepts to create and verify digital signatures. verify digital signatures. Asymmetric encryption algorithms and certificates are used here.
• Key Signing Key (KSK) and Zone Signing Key (ZSK): DNSSEC uses these two key types to verify the integrity and authenticity of DNS data. integrity and authenticity of DNS data. The KSK signs the public key of the ZSK, and the ZSK signs the actual DNS records.

An optimised HTTPS offers several opportunities and advantages for the security and trustworthiness of websites. These include:

• Confidentiality: By encrypting the data, HTTPS ensures that only the intended recipient can decrypt the transmitted information. can decrypt the transmitted information. This prevents third parties from intercepting data traffic from intercepting data traffic and stealing confidential information.
• Integrity: HTTPS guarantees the integrity of the transmitted data by ensuring that it is not manipulated during transmission. not be manipulated during transmission. Through the use of cryptographic hash functions, it is possible to functions can be used to check whether the data has remained intact on its way to the recipient.
• Authenticity: HTTPS makes it possible to verify the identity of the server with which the user is communicating. By using SSL/TLS certificates, the user can ensure that they are connected to the actual website and not to a fake one. website and not a fake or fraudulent website.
• Trustworthiness: A website that uses HTTPS signals to users that it cares about the security of their data. security of their data. By providing a secure connection, the website creates trust with users and promotes a positive user experience.

HTTPS stands for Hypertext Transfer Protocol Secure and is a secure version of the HTTP protocol used for transferring data on the web. used for transferring data on the web. HTTPS uses a combination of HTTP and the SSL/TLS protocol, to ensure the confidentiality, integrity and authenticity of the transmitted data.

HTTPS is used to secure communication between a web browser and a website. It protects against potential attacks by enabling data encryption between the client (browser) and the server. Encrypting the data prevents attackers from intercepting or manipulating the content of the communication. manipulate the content of the communication.

An extensive list of compliance requirements, regulations and guidelines that require or recommend HTTPS includes recommend HTTPS includes:

• Payment Card Industry Data Security Standard (PCI DSS)
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• National Institute of Standards and Technology (NIST) Special Publication 800-53
• ISO/IEC 27001:2013 (Information Security Management System)
• Federal Information Security Modernisation Act (FISMA)
• Federal Risk and Authorization Management Program (FedRAMP)
• Federal Data Protection Act (BDSG) (Germany)
• General Data Protection Regulation (GDPR) (European Union)

Please note that the requirements may vary depending on the context and area of application. It is important to check the specific guidelines and regulations for your industry and jurisdiction.

An extensive list of bodies and authorities that require or recommend HTTPS includes:

• World Wide Web Consortium (W3C)
• Internet Engineering Task Force (IETF)
• National Institute of Standards and Technology (NIST)
• Federal Trade Commission (FTC)
• Federal Office for Information Security (BSI) (Germany)
• Office of the Information Commissioner (ICO) (United Kingdom)
• Information Systems Audit and Control Association (ISACA)
• Cloud Security Alliance (CSA)
• Centre for Internet Security (CIS)
• Open Web Application Security Project (OWASP)

These bodies and authorities are committed to proven security practices and standards, including the use of HTTPS. which includes the use of HTTPS. Their recommendations are based on current threats, best practices and the goal of aim of improving security on the Internet.

HTTPS is based on a series of regulations and standards that define its implementation and functionality. The most important are:

• SSL (Secure Sockets Layer) and TLS (Transport Layer Security): SSL was the original protocol for secure communication on the Internet and was later replaced by TLS. TLS is the current standard for encryption and authentication of network connections, including HTTPS.
• PKI (Public Key Infrastructure): PKI is a set of technologies, policies and procedures for managing digital certificates and public keys. Certificates are used to verify the authenticity of websites and provide the encryption keys for HTTPS communication.
• HTTP Strict Transport Security (HSTS): HSTS is a mechanism that instructs browsers to establish a secure connection to a website even if the user enters "http" instead of "https". This reduces the likelihood of insecure connections and promotes the use of HTTPS.
• TLS certificates: TLS certificates are issued by certificate authorities (CAs) and are used to confirm the authenticity of a website. They contain information about the owner of the certificate and the public key used for encryption.

An optimised HTTPS offers several opportunities and advantages for the security and trustworthiness of websites. These include:

• Confidentiality: By encrypting the data, HTTPS ensures that only the intended recipient can decrypt the transmitted information. can decrypt the transmitted information. This prevents third parties from intercepting data traffic from intercepting data traffic and stealing confidential information.
• Integrity: HTTPS guarantees the integrity of the transmitted data by ensuring that it is not manipulated during transmission. not be manipulated during transmission. Through the use of cryptographic hash functions, it is possible to functions can be used to check whether the data has remained intact on its way to the recipient.
• Authenticity: HTTPS makes it possible to verify the identity of the server with which the user is communicating. By using SSL/TLS certificates, the user can ensure that they are connected to the actual website and not to a fake one. website and not a fake or fraudulent website.
• Trustworthiness: A website that uses HTTPS signals to users that it cares about the security of their data. security of their data. By providing a secure connection, the website creates trust with users and promotes a positive user experience.

HTTPS stands for Hypertext Transfer Protocol Secure and is a secure version of the HTTP protocol used for transferring data on the web. used for transferring data on the web. HTTPS uses a combination of HTTP and the SSL/TLS protocol, to ensure the confidentiality, integrity and authenticity of the transmitted data.

HTTPS is used to secure communication between a web browser and a website. It protects against potential attacks by enabling data encryption between the client (browser) and the server. Encrypting the data prevents attackers from intercepting or manipulating the content of the communication. manipulate the content of the communication.

An extensive list of compliance requirements, regulations and guidelines that require or recommend HTTPS includes recommend HTTPS includes:

• Payment Card Industry Data Security Standard (PCI DSS)
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• National Institute of Standards and Technology (NIST) Special Publication 800-53
• ISO/IEC 27001:2013 (Information Security Management System)
• Federal Information Security Modernisation Act (FISMA)
• Federal Risk and Authorization Management Program (FedRAMP)
• Federal Data Protection Act (BDSG) (Germany)
• General Data Protection Regulation (GDPR) (European Union)

Please note that the requirements may vary depending on the context and area of application. It is important to check the specific guidelines and regulations for your industry and jurisdiction.

An extensive list of bodies and authorities that require or recommend HTTPS includes:

• World Wide Web Consortium (W3C)
• Internet Engineering Task Force (IETF)
• National Institute of Standards and Technology (NIST)
• Federal Trade Commission (FTC)
• Federal Office for Information Security (BSI) (Germany)
• Office of the Information Commissioner (ICO) (United Kingdom)
• Information Systems Audit and Control Association (ISACA)
• Cloud Security Alliance (CSA)
• Centre for Internet Security (CIS)
• Open Web Application Security Project (OWASP)

These bodies and authorities are committed to proven security practices and standards, including the use of HTTPS. which includes the use of HTTPS. Their recommendations are based on current threats, best practices and the goal of aim of improving security on the Internet.

HTTPS is based on a series of regulations and standards that define its implementation and functionality. The most important are:

• SSL (Secure Sockets Layer) and TLS (Transport Layer Security): SSL was the original protocol for secure communication on the Internet and was later replaced by TLS. TLS is the current standard for encryption and authentication of network connections, including HTTPS.
• PKI (Public Key Infrastructure): PKI is a set of technologies, policies and procedures for managing digital certificates and public keys. Certificates are used to verify the authenticity of websites and provide the encryption keys for HTTPS communication.
• HTTP Strict Transport Security (HSTS): HSTS is a mechanism that instructs browsers to establish a secure connection to a website even if the user enters "http" instead of "https". This reduces the likelihood of insecure connections and promotes the use of HTTPS.
• TLS certificates: TLS certificates are issued by certificate authorities (CAs) and are used to confirm the authenticity of a website. They contain information about the owner of the certificate and the public key used for encryption.

An optimised BIMI offers various opportunities and advantages:

• Improved brand image: By clearly displaying their own logo or trademark in email clients, companies can strengthen their brand identity and gain the trust of recipients. This can lead to a better perception of the brand.
• Increased recognisability: An optimised BIMI makes it easier for recipients to recognise emails from trustworthy senders at first glance. sender at first glance. This can increase email open rates and improve the effectiveness of email marketing campaigns.
• Enhanced email security: BIMI complements existing email authentication mechanisms and reduces the risk of spoofing and the risk of spoofing and phishing. The visual identification of the sender simplifies the verification of an email's authenticity of an e-mail is simplified and the security of communication is increased.

BIMI stands for Brand Indicators for Message Identification and is an emerging standard in the field of email security and authentication. email security and authentication. It is used to improve the visual representation of the sender in email clients clients and at the same time to verify the authenticity of the sender's identity.

By implementing BIMI, a company can integrate its official logo or other distinctive branding element into the email client. branding element in the email clients when an email originates from this company. This allows recipients to recognise at first glance whether an email actually comes from the specified source. source.

The effect of BIMI lies in the fact that it supports email authentication via the standards SPF (Sender Policy Framework) Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) standards. Conformance) standards. By linking these authentication mechanisms with a visual identification of the sender, BIM sender, BIMI helps to improve email security and combat spoofing and phishing. phishing.

There are currently no specific compliance requirements, regulations or guidelines that explicitly require or recommend BIMI. require or recommend. BIMI is an emerging standard that is supported by various organisations and experts organisations and experts, but has not yet found broad regulatory acceptance. However, it is possible that future compliance requirements or industry standards may include BIMI as a best practice or recommendation.

Various bodies and authorities support or recommend BIMI as best practice in the area of email security and authentication. Here are some examples:

• AuthIndicators Working Group: This group is an initiative of the Authenticated Received Chain (ARC) protocol and promotes the implementation of BIMI as part of email authentication.
• M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group): M3AAWG is a non-profit organisation, organisation dedicated to combating messaging abuse. It supports BIMI as a way to improve email security. email security.
• BIMI Group: The BIMI Group is a consortium of companies and organisations working to promote and standardise BIMI. and standardisation of BIMI. It comprises members from the email industry, including Email providers, companies and technology vendors.
• This list is not exhaustive and it is possible that other bodies, organisations or authorities support BIMI, organisations or authorities may support or recommend BIMI.

BIMI is based on the following regulations and standards:

• SPF (Sender Policy Framework): SPF enables an e-mail server to check whether the IP address of the sender of an e-mail is sender of an e-mail is authorised by the specified domain.
• DKIM (DomainKeys Identified Mail): DKIM enables the sender to use digital signatures to verify the authenticity of the e-mails sent and to guarantee their integrity.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is a mechanism that integrates SPF and DKIM and provides additional guidelines for handling emails with forged senders. senders.

An optimised CAA offers various opportunities and advantages:

• Stronger security: A well-configured CAA record can prevent unwanted certificate issuance, which improves the security of the domain and users. can be prevented, which improves the security of the domain and the users. Only authorised CAs can issue issue valid certificates, which reduces the risk of attacks and fraudulent activities.
• Control over certificate issuance: An optimal CAA allows domain owners to control the issuance of certificates for their domains. This provides an additional layer of security and enables better management of certificates within the organisation.
• Strengthening trust: By clearly defining the trusted CAs in a CAA entry, trust in the domain is strengthened. trust in the domain is strengthened. Users can be sure that the certificates have been issued by authorised CAs and that communication with the domain is secure.

CAA stands for "Certificate Authority Authorisation" and is a DNS entry that is used to determine the CAs (Certificate Authorities) that are authorised to issue certificates for a specific domain. a specific domain. The CAA record enables domain holders to control the issuance of certificates for their domains and prevent unwanted or unauthorised certificate issuance.

The CAA record works by establishing a policy as to which CAs are authorised to issue certificates for the domain. When a certificate request is received by a CA, the CA checks the CAA record of the corresponding domain. If the CAA entry lists the CA as authorised, the certificate is issued. Otherwise, the CA will reject the request.

The following compliance requirements, regulations and guidelines require or recommend the use of CAA:

• CA/Browser Forum: The CA/Browser Forum is an industry group consisting of certification authorities and browser browser manufacturers. The guidelines of the CA/Browser Forum recommend the implementation of CAA entries for domains to improve the security of certificates.
• Payment Card Industry Data Security Standard (PCI DSS): The PCI DSS standard contains security requirements for companies that process credit card data. The use of CAA can be used as a measure to strengthen certificate certificate security and compliance with the PCI DSS requirements.
• National Institute of Standards and Technology (NIST): NIST recommends the use of CAA records as a part of security best practices for the secure configuration of DNS services.

The following bodies or authorities require or recommend the use of CAA:

• German Federal Office for Information Security (BSI): The BSI is the national cyber security authority authority in Germany. The BSI recommends the use of CAA records as a protective measure for the security of certificates. certificates.
• Internet Engineering Task Force (IETF): The IETF is an organisation that promotes the development and standardisation of Internet protocols. The IETF has published RFC 6844, which defines the CAA Resource Record.
• Cloud Security Alliance (CSA): The CSA is an organisation that promotes best security practices in the cloud. security practices in the cloud computing industry. The CSA recommends the implementation of CAA records to improve the security of certificates in cloud environments.

It is important to note that compliance requirements, regulations and recommendations may change over time. may change over time. It is therefore advisable to check the current guidelines and recommendations of the respective bodies and authorities. authorities.

CAA is based on the following regulations and standards:

• RFC 6844: The "Request for Comments" (RFC) 6844 defines the CAA Resource Record and describes the mechanism for using CAA entries. mechanism for the use of CAA entries.
• Certification Authority Authorisation (CAA) Standard: The CAA standard was developed by the CA/Browser Forum authority and provides guidelines for the issuance of certificates and the use of CAA records. are provided.

An optimised TLSA offers various opportunities and advantages:

• Improved security: By using TLSA, the security of network communication can be significantly security of network communication can be significantly improved as the authenticity and integrity of the certificates are verified.
• Protection against man-in-the-middle attacks: TLSA makes it possible to reduce potential attack vectors by ensuring that communication only takes place with trustworthy certificates and that manipulations by attackers are recognised. by attackers are recognised.
• Strengthening trustworthiness: The use of TLSA can strengthen the trust of users, as they can can ensure that the website they are communicating with is actually the one it claims to be. claims to be.

TLSA stands for "Transport Layer Security Authentication" and is a mechanism that is used in conjunction with the Transport Layer Security (TLS) protocol. TLSA is used to verify the trustworthiness of certificates used to secure network communication.

TLSA works by providing an additional layer of authentication and verification. It enables website operators to digitally sign their certificates and publish them in DNS records. This allows clients, such as web browsers, to verify the authenticity of certificates and ensure that no forged or maliciously manipulated certificates are used. maliciously manipulated certificates are used.

The following list contains some compliance requirements, regulations and guidelines that TLSA may require or recommend. may recommend:

• Payment Card Industry Data Security Standard (PCI DSS): PCI DSS may recommend the use of TLSA as part of the security security measures for the processing of credit card data.
• General Data Protection Regulation (GDPR): Although TLSA is not explicitly mentioned in the GDPR, the use of TLSA as an additional security measure to ensure data protection and data security. data security.
• NIST Special Publication 800-52: This document from the National Institute of Standards and Technology (NIST) provides guidelines for the use of TLS in government facilities and may recommend the use of TLSA recommended.
• ISO/IEC 27001: The international standard for information security management can include TLSA as part of the security measures to ensure the integrity and confidentiality of information.

The following bodies and authorities require or recommend TLSA:

• Internet Engineering Task Force (IETF): The IETF is significantly involved in the development of Internet standards and recommends the use of TLSA to strengthen security when verifying certificates. certificates.
• CA/Browser Forum: This body, consisting of certification authorities and browser manufacturers, can use TLSA as part of their guidelines for ensuring the trustworthiness of certificates.
• National Institute of Standards and Technology (NIST): NIST may require or recommend TLSA as part of its recommendations for the secure secure configuration of networks and protection against malicious activity.
• World Wide Web Consortium (W3C): The W3C may promote TLSA as part of its recommendations for web security and support the use of TLSA to verify the authenticity of certificates.

TLSA is based on various regulations and standards, including

• DNSSEC (Domain Name System Security Extensions): TLSA utilises the DNSSEC infrastructure to ensure, that the DNS records are authentic and unaltered.
• RFC 6698: This document defines the specifications for the TLSA record in the DNS and describes how TLSA can be used to verify certificates.
• RFC 7671: This describes various scenarios in which TLSA can be used to ensure the authenticity of certificates. authenticity of certificates.

An optimised MX offers various opportunities and advantages:

• Reliable email delivery: With a correctly configured MX record, emails can be reliably delivered to the right mail servers. to the correct mail server. This ensures that important messages can be properly received and can be received and processed properly.
• Defence against email-based attacks: An optimised MX can help to prevent or hinder email-based attacks such as spoofing, phishing and malware distribution. It enables effective filtering of malicious emails and the protection of sensitive information.
• Improved communication: A correct MX record enables smooth email communication both internally and externally. internally and externally. This contributes to the efficiency and productivity of organisations and supports collaboration collaboration between different parties.

MX stands for Mail Exchanger and refers to a DNS entry that determines which mail server is responsible for a specific domain. domain is responsible for. The MX protocol enables e-mail traffic between different mail servers. It is used to transmit emails from a sender to a recipient. The MX protocol works by determining the the destination mail server to which the email is to be sent and then forwards it to the corresponding server. server.

The following list contains some compliance requirements, regulations and guidelines that may require or recommend the use of a correct MX record may require or recommend:

• Payment Card Industry Data Security Standard (PCI DSS)
• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Information Security Management Act (FISMA)
• Sarbanes-Oxley Act (SOX)
• ISO/IEC 27001:2013 (Information Security Management System)
• National Institute of Standards and Technology (NIST) Special Publication 800-53
• Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST)
• Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR)
• International Organisation for Standardization (ISO) 27017 (Cloud Security) and 27018 (PII Protection in Public Clouds) Public Clouds)

Please note that the exact requirements and recommendations may vary depending on the context and organisation. organisation. It is important to consider the specific requirements of your industry and region.

The following list contains some bodies and authorities that may require or recommend the use of a correct MX record or may recommend:

• Internet Engineering Task Force (IETF)
• Internet Corporation for Assigned Names and Numbers (ICANN)
• National Institute of Standards and Technology (NIST)
• European Telecommunications Standards Institute (ETSI)
• Cloud Security Alliance (CSA)
• Payment Card Industry Security Standards Council (PCI SSC)
• International Organisation for Standardization (ISO)

These bodies and authorities are involved in the development of standards, guidelines and best practices in the field of network technology, the Internet and information security. Their recommendations and guidelines can relate to the correct configuration of MX records.

MX is based on various regulations and standards, including

• DNS standards: The MX protocol is defined in the DNS standards, in particular in RFCs (Request for These RFCs define the basic functions of the DNS, including the MX record. MX record.
• SMTP protocol: The Simple Mail Transfer Protocol (SMTP) is used for e-mail transport between the mail servers. mail servers. MX records are closely linked to the SMTP protocol, as they determine the target mail server for the email transport. the e-mail transport.
• Industry-specific standards and best practices: Depending on the industry and area of application, specific standards and best practices may apply. For example, financial institutions, government organisations or healthcare organisations or healthcare facilities may have specific requirements for the MX configuration to ensure security and compliance. ensure security and compliance.

An optimised DNS offers various opportunities and advantages. It enables efficient and reliable communication communication on the Internet by ensuring fast resolution of domain names into IP addresses. An optimised DNS can also improve security by supporting measures such as DNSSEC (DNS Security Extensions) to prevent spoofed DNS responses and ensure the integrity of DNS communication. In addition, an optimised DNS can be scalable and can handle the demands of growing internet traffic. traffic.

DNS stands for Domain Name System and is a fundamental technology on the Internet. It is used for the translation of domain names, such as example.com, into the underlying IP addresses required for communication between computers on the Internet. computers on the Internet. The DNS acts as a kind of telephone directory of the Internet, enabling that computers can communicate with each other by determining the corresponding IP addresses of domains.

The following compliance requirements, regulations and guidelines require or recommend DNS:

• Payment Card Industry Data Security Standard (PCI DSS)
• ISO/IEC 27001: 2013 (Information Security Management System)
• NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organisations)
• GDPR (General Data Protection Regulation)
• HIPAA (Health Insurance Portability and Accountability Act)
• SOC 2 (Service Organisation Control 2)
• FISMA (Federal Information Security Management Act)

The following bodies and authorities require or recommend DNS:

• Internet Engineering Task Force (IETF)
• Internet Corporation for Assigned Names and Numbers (ICANN)
• Internet Assigned Numbers Authority (IANA)
• National Institute of Standards and Technology (NIST)
• World Wide Web Consortium (W3C)
• International Organization for Standardisation (ISO)
• European Telecommunications Standards Institute (ETSI)

DNS is based on various regulations and standards. The basic specification for DNS is defined in the DNS standards, such as RFC 1034 and RFC 1035. In addition, there are further standards and extensions such as DNSSEC (RFC 4033-4035), which improve the security of the DNS. There are also regulations at national and international level that can regulate the operation and administration of DNS systems, such as the such as the guidelines of the Internet Corporation for Assigned Names and Numbers (ICANN).

Optimised use of MTA-STS offers the following opportunities and benefits:

• Secure e-mail communication: MTA-STS ensures that all e-mails between the servers involved are transmitted in encrypted form encrypted, which guarantees the confidentiality and integrity of the communication. is guaranteed.
• Protection against man-in-the-middle attacks: Enforcing TLS encryption minimises the risk of of eavesdropping and manipulation attacks by attackers is reduced.
• Improving security standards: The use of MTA-STS contributes to the promotion of secure email transport standards and supports the general improvement of email security.

MTA-STS (Mail Transfer Agent-Strict Transport Security) is a security mechanism for email servers that secures the transport of emails via an transport of e-mails via an encrypted connection (TLS). MTA-STS makes it possible to establish secure communication between email servers by specifying that all emails between the servers involved are to be sent exclusively via servers involved are transmitted exclusively via encrypted channels.

An extensive list of compliance requirements, regulations and guidelines that require or recommend MTA-STS includes recommend, includes:

• BSI (German Federal Office for Information Security): The BSI recommends the implementation of MTA-STS as part of a comprehensive email security strategy.
• GDPR (General Data Protection Regulation): The GDPR stipulates that appropriate technical and organisational organisational measures must be taken to protect personal data. The use of MTA-STS can help to ensure the security of transmitted emails.

Bodies and authorities that require or recommend MTA-STS are:

• Internet Engineering Task Force (IETF): The IETF develops and promotes Internet standards and has published the published the MTA-STS protocol in RFC 8461.
• M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group): M3AAWG is an organisation that deals with organisation that deals with combating messaging abuse and email security and recommends the use of MTA-STS is recommended.
• CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team): These organisations operate computer security infrastructures and organisations operate computer security infrastructures and recommend the implementation of MTA-STS to improve email security. improve email security.

MTA-STS is based on the following regulations and standards:

• RFC 8461: This set of rules defines the MTA-STS protocol and contains the specifications for its implementation and use. implementation and use.
• TLS (Transport Layer Security): MTA-STS uses TLS to encrypt the email transport channel.

An effective protection mechanism against compromised access data offers companies and their customers the following advantages:

• Protection of corporate accounts: By identifying leaked credentials, companies can proactively can react proactively, secure vulnerable user accounts and reduce the risk of account takeover attacks. Specifically, Identeco AD Protect prevents leaked passwords in your AD.
• Security for customer accounts: Companies that offer online services can protect their users through early warnings or mandatory password changes to protect their users from misuse. This strengthens the users' trust and minimises the damage caused by stolen login data. Innovative solutions can also user accounts on online platforms can also be protected by Identeco.
• Reduction of fraud risks: Recognising compromised credentials prevents attackers from using from using known credentials for credential stuffing or account takeovers, which could lead to financial damage or data misuse.
• Compliance with regulatory requirements: Consideration of compromised credentials helps ensure, industry-specific security standards such as ISO 27001, NIST, PCI DSS or BSI IT baseline protection and adapting security measures to current best practices.
• Protection of brand reputation: When companies proactively respond to the misuse of leaked access data, they avoid data, they avoid potential data breaches and the associated negative headlines, fines or loss of customers.

By checking for leaked credentials with the help of Identeco, organisations can improve both internal IT security and the protection of their customer accounts in compliance with data protection regulations, strengthen trust in their platforms and reduce damage caused by cybercrime in the long term.

What is a data leak?

A data leak is the unintentional or deliberate publication of confidential data. This includes, among other things:

• Personal data (e.g. address, telephone number, IBAN)
• Access data (e.g. email/user name + password)
• Internal company information (e.g. trade secrets, business strategies) company secrets, business strategies)

Leaked access data is particularly dangerous, as criminals can use a combination of email address and password to take over online accounts (account takeover), gain access to company platforms and even penetrate deeper into a company's IT infrastructure.

How do data leaks occur?

Data leaks occur in different ways. We have compiled a selection of causes and threats for you below:

• IT security vulnerabilities
  • Unpatched systems or outdated software often contain vulnerabilities that are exploited by attackers.
  • Databases can be publicly accessible due to poorly secured APIs or configuration errors.
• Human error
  • An unintentional data leak can be caused by carelessness, e.g. if an employee accidentally makes confidential data public.
  • Simple mistakes such as sending sensitive data to the wrong person or leaving a USB stick or laptop lying around can have serious consequences.
• Social engineering - manipulation of employees
  • Cyber criminals pretend to be a superior or an authority, for example, in order to trick employees into handing over confidential data.
  • Attackers use psychological tricks to put people under pressure in order to gain access to internal company information.
• Phishing - The fake website trick
  • Attackers send deceptively genuine-looking emails or text messages and lure employees to fake websites.
  • If employees enter their access data there, it ends up directly in the hands of cyber criminals.
• Malware - Digital spyware
  • Malicious programmes, so-called stealers (also known as spyware or keyloggers) can be installed on devices and read login data, emails or even bank information or entire password managers.
  • This information is then sent to the attackers unnoticed.

How can you protect yourself?

• Regularly check whether your data has been affected
  • Use providers such as Identeco to check whether your email address has been included in data leaks.
  • In your company, you should use these specialised leak monitoring solutions to be informed about leaked employee or customer data at an early stage.
• Use strong passwords & password managers
  • Never use the same password for multiple services!
  • Use password managers to generate and store secure, random passwords.
• Activate multi-factor authentication (MFA)
  • Even if a password has been leaked, MFA protects against unauthorised access to a certain extent.
  • Preferably use app-based authentication methods instead of SMS. These can also be bypassed or exploited by combining them with social engineering attacks, although this is much more difficult for attackers.
• Employee training on phishing & social engineering
  • Regularly raise your employees' awareness of how to recognise fraudulent emails.
  • "If something sounds too good to be true - it's probably a trap."
• Consistently install security updates
  • Always keep operating systems, software and network components up to date.
  • Activate automatic updates to close known vulnerabilities immediately.

A detailed list of compliance requirements, regulations and guidelines that require or recommend the handling of compromised credentials includes:

ISO/IEC 27001/27002 (2022):

The international standard for information security management requires measures for the secure management of secret authentication information in Control 5.17 (Authentication information). This includes, but is not limited to:

• Changing authentication information when compromise is suspected.
• Preventing the reuse of secret information for business and personal purposes.

These requirements help to ensure the security of credentials and reduce the risk from known compromised credentials.

NIST Cybersecurity Framework (SP 800-63b & SP 800-53)

These US security guidelines require that new or existing passwords be matched against known compromised passwords.

• SP 800-63b (5.1.1.2): Requires verifiers to check passwords against lists of known compromised or commonly used passwords.
• SP 800-53 (IA-5): Requires the implementation of mechanisms to detect compromised credentials.

PCI DSS (Payment Card Industry Data Security Standard)

he PCI-DSS 3.2.1 Requirement 8 requires organisations to document their authentication policies and ensure that users change their passwords as soon as a possible compromise is suspected. In addition, the use of multi-factor authentication (MFA) is required to make the misuse of compromised passwords more difficult.

GDPR - Art. 32

Although the GDPR does not contain any explicit requirements regarding compromised passwords, Article 32 (Security of processing) requires appropriate measures to secure personal data. The use of compromised access data poses a significant risk to personal data as it facilitates attacks such as account takeover and credential stuffing.

BSI IT-Grundschutz

In ORP.4.A23 (Identity and Authorisation Management), the German Federal Office for Information Security (BSI) requires IT systems and applications to implement measures to detect compromised passwords and respond accordingly.

The best practices and security standards of leading organisations explicitly recommend regular checks for compromised login data in order to minimise risks such as account takeover and identity theft.

What standards and recommendations are there?

• OWASP (Open Web Application Security Project)
  • The OWASP guidelines for secure authentication require regular checks of login data against known compromised databases.
  • This helps to identify compromised accounts at an early stage and ensure the security of employee and customer accounts.
• CIS Controls v8 (Center for Internet Security)
  • The CIS Controls are proven IT security measures that are used in companies worldwide.
  • Control 5 ("Account Management") in particular requires passwords to be changed immediately after a possible compromise.
  • Password denylists must be used to prevent the use of compromised or frequently used passwords.