The National Cybersecurity Center of Excellence (NCCoE) has invited comments on a draft practice guide to help organizations improve email security and defend against phishing, man-in-the-middle, and other types of email-based attacks.

The draft of the National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide titled, Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6), demonstrates how commercially available technologies can help email service providers improve the security of email communications. “Protocols such as Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Domain Name System Security Extensions (DNSSEC), and Domain Name System (DNS) Authentication of Named Entities (DANE) exist and are capable of providing needed email security and privacy protection.)

— “Large email service providers, such as Gmail and Yahoo, have taken steps to reduce the prevalence of email scams by implementing mechanisms to verify the origin of an email. However, these mechanisms are difficult to implement, require long lead times, and must integrate into existing systems, making it difficult for organizations without a large IT department to do so. As a result, many enterprises have been slow to embrace these protections.”  –William “Curt” Barker, Domestic Guest Researcher, NIST

— The draft guide can be downloaded from the NCCoE website, which includes a form for submitting comments. The public comment period is open through December 19, 2016.