Alternate Title: Making Email Trustworthy (October 2016)
"Email is a core application of computer networking and has been since the early days of Internet development. In those early days, networking was a collegial, research-oriented enterprise. Security was not a consideration. The past forty years have seen diversity in applications deployed on the Internet, and worldwide adoption of email by research organizations, governments, militaries, businesses, and individuals. At the same time, there has been an associated increase in Internet-based criminal and nuisance threats. The Internet's underlying core email protocol, Simple Mail Transport Protocol (SMTP), was adopted in 1982 and is still deployed and operated today. However, this protocol is susceptible to a wide range of attacks, including man-in-the-middle content modification and content surveillance. The basic standards have been modified and augmented over the years with adaptations that mitigate some of these threats. With spoofing protection, integrity protection, encryption and authentication, properly implemented email systems can be regarded as sufficiently secure for government, financial, and medical communications. […] The major goal of the document is to provide guidelines on how to combat possible threats before a user opens an email. This guidance applies to federal IT [information technology] systems and will also be useful for other organizations, including small and medium-sized businesses."
National Institute of Standards and Technology: http://www.nist.gov/