2016-11-12 On NIST Special Publication 1800-6, DNS Based Email Security

NIST has published a document on email security. I have some comments on that:

• It is perhaps not surprising that nist.gov itself has not implemented its own recommendations regarding DNSSEC/DANE. Although nist.gov is protected with DNSSEC, the MX record directly points to nist-gov.mail.protection.outlook.com which is unprotected. Perhaps NIST can convince Microsoft to add DNSSEC/DANE records to their hosted email solution.
  
  
• Perhaps NIST can suggest to various US government regulators that they should make DNSSEC/DANE a requirement for financial institutions and large defense contractors. See this for a list of some of them.
  
  
• Page 19, section 1.1, "...when DNSSEC and DANE are turned on, mail servers experience severe service degradation or crashes due to large numbers of retransmission attempts." I have been running production sendmail servers with DNSSEC/DANE validation for the last four months and have not seen this issue. It is unclear which specific error scenario that sentence is referring to.
  
  
• Page 31, section 4.4.2.2, talks about VRFY and EXPN for dictionary harvesting. From a log file with 170K "RCPT TO" commands, I see only 19 "VRFY" commands and not a single "EXPN" command. Those mechanisms might have been popular long ago, but current spammers don't seem to even try them anymore.
  
  
• Page 31, section 4.4.2.2, "In Microsoft Exchange, account enumeration is not generally an issue. In environments other than Microsoft Exchange, account enumeration is not generally an issue." So it is never an issue? The only account enumeration that I see in my logs are folks using many different machines to each send one "RCPT TO" command.
  
  
• Page 33, section 4.4.3, "New and existing regulations are force organizations to". Should be "forcing".
  
  
• Page 33, section 4.4.3, "Employees sending personal emails and sifting through spam mail can cause major loss of productivity." with a footnote "Current SPAM filtering solutions ... and DNSSEC achieves this authentication". DNSSEC does nothing to stop spam - unless you take the step of refusing all mail from domains that are not protected with DNSSEC. But no one can do that, since none of GMail, Yahoo, Outlook use DNSSEC.
  
  
• Page 38, section 4.4.4.2 2.a DE.DP-4, "abort delivery of messages from sources" should be "abort delivery of messages to destinations". DNSSEC/DANE is all about validating the destination mail server.
  
  
• Page 38, section 4.4.4.3 2, The RS.CO-2 text is duplicated in both 2 and 2.a.