De-Mail mailbox and delivery service

The De-Mail mailbox and delivery service is the core De-Mail service. It guarantees reliable and confidential communication. This means that:

When a message is sent, it is protected against loss of confidentiality, changes to the content of the message and changes to the metadata (e.g. sender's address, time of dispatch, delivery options).

De-Mails can also be sent with a particular qualification, which gives four delivery options:

• Private:
  If this option is selected, the recipient must be logged in with at least level "high" in order to read the message. This option can only be selected if the login level of the sender is "high" as well.
• Authoritative:
  If this option is selected, the sender is stating that they consider themselves bound by the content of the message they have sent. This option can only be selected if the login level of the sender is "high". The recipient is told that the sender was logged in as "high" when they sent the message.
• Confirmation of dispatch:
  If this option is selected, the sender's delivery service generates a confirmation of dispatch and delivers it to the sender by means of a message.
• Confirmation of receipt:
  If this option is selected, the recipient's mailbox service generates a confirmation of receipt and delivers it both to the sender and to the recipient of the original message by means of a message.

The user can select any combination of these four options.

The sender can also add (qualified electronic) signatures to their messages using their own components and/or encrypt them end-to-end. De-Mail providers are required to offer a directory service in which De-Mail users can store public keys/encryption certificates for their De-Mail addresses. This makes end-to-end encryption considerably easier for the user to implement.

High level of user comfort combined with high security

At the moment, over 95 per cent of all e-mails are sent unencrypted. Any unauthorised party can intercept, read and modify unsecured e-mails on the Internet just like a postcard. To ensure that secure e-mail communications take hold throughout Germany as quickly as possible, De-Mail should be as easy as possible to use. The fact that users do not have to install anything additional onto their computers to use De-Mail is, therefore, deliberate. In its simplest form, users can access De-Mail via a web portal, in the same way that most users send e-mails via popular e-mail portals nowadays.

To eliminate the need for users to perform additional installations, De-Mail has been designed so that messages are encrypted when they are sent between users and service providers, and from one service provider to another. This process uses transport encryption (SSL or TLS), whereby messages are sent between senders, service providers and recipients via secured channels ("tunnels").

Transport encryption is a point-to-point encryption method. A tunnel is set up between the user and the service provider, then all data transmitted via that tunnel is encrypted automatically. The result is that data at the end of the tunnel appears once again as plain text, which means messages can be checked for malware. If the system detects a virus or a trojan in a De-Mail, the message is electronically flagged accordingly. This measure protects the recipient, their technology and, therefore, the entire De-Mail information domain. After they have been checked, messages are saved in encrypted format.

The checking process itself runs on servers in tested secure data centres that must meet BSI requirements. The BSI verifies compliance with IT security and data security requirements by means of a comprehensive certification process, which includes test attacks that the BSI conducts so as to identify and correct any security deficiencies in advance. Only certified providers who can prove they satisfy the stringent security requirements of the De-Mail Act in terms of technology, organisation and personnel will be permitted to offer De-Mail services and will be able to receive the necessary accreditation.

User-friendly additional encryption

Where messages have particularly high confidentiality requirements, De-Mail users have the option to further encrypt the content being sent via De-Mail themselves ("end-to-end encryption"). In this case, encryption is performed at the sender's computer and the content is not decrypted again until it reaches the recipient's computer. This does, however, require the installation of additional software to carry out the encryption and decryption. The directory service, which a De-Mail service provider is bound to offer, helps users by allowing them to make their public keys available to other users. A user is therefore able to search a central location for the public keys belonging to persons with whom they want to communicate confidentially. Previously this process was difficult and presented the biggest stumbling block stopping end-to-end encryption technologies from taking widespread hold ("Where can I find the right encryption key for my communication partner?"). De-Mail is therefore intended to support and promote the use of end-to-end encryption.

Authenticity and integrity

Together with the confidentiality measures already described, authenticity and integrity are both incredibly important in relation to De-Mail. Every user needs to be uniquely identified one time to guarantee the authenticity of communication using De-Mail. This enables every account to be clearly assigned to just one person. Additional authentication requirements must be fulfilled as well, such as two-factor authentication (based on possession and knowledge) to hinder/prevent misuse.

The integrity of messages is guaranteed by a checksum or a qualified electronic signature. These integrity-protecting measures are applied immediately after messages are received by the service provider and are transferred on to the recipient.

The overall objective of the security requirements managed by the BSI is to enable potential providers to reach an appropriate security level, but at the same time to leave enough leeway to customise the operational environment. This gives providers the option to use or adapt their existing infrastructure.