Why standards such as SPF, DKIM, DMARC and DNSSEC are now mandatory
Email remains the backbone of digital communication. But this is precisely where its central weakness lies: billions of emails are sent every day – a significant proportion of which are fake, fraudulent or incorrectly authenticated. The consequences are far-reaching: legitimate emails end up in spam filters, attacks reach users unnoticed, and the reputation of entire organisations can be damaged.
This is why eco – Association of the Internet Industry, in close partnership with the German Federal Office for Information Security (BSI), is committed to strengthening email security through concrete technical measures and the comprehensive implementation of established standards.
Technical standards – briefly explained
A number of technical standards are required to ensure that emails can be delivered securely and reliably. One of these is SPF (Sender Policy Framework). It defines which mail servers are authorised to send emails on behalf of a specific domain. This allows fake senders to be identified at an early stage.
DKIM (DomainKeys Identified Mail) supplements this protection with a digital signature in the email header, which allows the authenticity and integrity of the message to be verified.
DMARC (Domain-based Message Authentication, Reporting and Conformance) combines SPF and DKIM into a higher-level policy: It gives the receiving server clear instructions on how to handle messages that fail these checks – for example, rejecting them or marking them as suspicious. DMARC also provides comprehensive reports on email traffic, which creates transparency and highlights areas where action is needed.
To ensure that these mechanisms work reliably, DNS entries must be secured – this is where DNSSEC (Domain Name System Security Extensions) comes into play. DNSSEC protects the integrity of DNS entries and is the basis for DANE (DNS-based Authentication of Named Entities), which in turn is used to secure transport encryption.
Practical insights: Feedback from the BSI workshop
Colleagues from eco and the Certified Senders Alliance (CSA) actively participated in a BSI workshop on 26 May 2025. The discussions made it clear that there is no lack of knowledge – but rather a lack of confidence in technical feasibility, resources and clear responsibilities.
The extremely low use of DNSSEC was particularly striking. In the groups in which eco participated, it was confirmed that DNSSEC is hardly used productively by any company to any significant extent. The main reasons for this are fears of misconfiguration: many IT departments worry that incorrect DNSSEC entries could lead to massive problems during operation, such as company websites or mail servers becoming inaccessible.
Another topic was DMARC – or more precisely, the surprise that many companies experience when they receive their first DMARC reports. This is because it often only becomes apparent at this point how many external systems are sending emails on behalf of the company. Identifying, checking and specifically excluding these systems represents a considerable organisational and technical challenge.
Another obstacle arises in an international context: companies that work with partners outside Europe – especially in Asia – are often confronted with a low level of authentication standards or their complete absence. If misuse or configuration problems occur, escalation processes often come into play too late or not at all.
Last but not least, the human factor was also mentioned several times: even well-trained employees click on phishing links in stressful situations. It therefore remains essential to carry out awareness campaigns and update them regularly. In addition, IT is decentralised in many larger organisations. This often results in a lack of uniform guidelines, clear responsibilities and a technical overview of the entire domain setup.
Why eco and BSI are working together
The partnership between eco and the BSI is logical and effective. While the BSI has regulatory expertise, security analyses and the political framework, eco has 30 years of technical know-how, market proximity and operational implementation expertise in the Internet industry. With initiatives such as the CSA, eco has been actively involved in shaping standards and quality assurance in email delivery from an early stage.
Together, both partners are working not only to formulate recommendations, but also to support companies on an equal footing – from knowledge transfer and motivation to concrete technical implementation.
Conclusion: Security begins with sending
Email security can only work if it starts with the sender. Organisations that want to build trust must ensure that their own domains are cleanly configured, clearly authenticated and reliably monitored. This is the only way to make email communication future-proof – and the Internet a little bit safer.
eco is calling on everyone to get their domain ready – for trust, visibility and secure delivery.
