Technologies for sending encrypted e-mails have existed for a long time, but to date have been unable to establish themselves in practice: 95 per cent of all e-mails are still sent unencrypted. This may be due to the fact that encrypting electronic messages usually requires users to have additional installations on the computer (certificates, card reader, etc.) and know how to use them.

However, De-Mail offers a very simple option for sending electronic correspondence in an

• encrypted,
• authentic and
• verifiable

way.

Sending a De-Mail is just as easy as sending a conventional e-mail.

Advantages over standard e-mail

Function	E-mail	De-Mail
Clearly identifiable senders	no	yes
Clearly identifiable recipients	no	yes
Confidential transmission via encryption	no	yes
Protection against manipulation of e-mails	no	yes
Protection from advertising e-mails (spam)	no	yes
Automatic detection of malware (viruses, Trojans) and warning for recipients	no	yes
Legally binding transmission	no	yes
Delivery option: sent confirmation	no	yes
Delivery option: confirmation of receipt	no	yes
Delivery option: personal	no	yes
Delivery option: authoritative	no	yes
Global address book (public directory service)	no	yes

Web interface or e-mail client?

In the simplest case, you can use the web applications of De-Mail providers. They work similarly to the familiar e-mail interfaces that people regularly use online. This makes starting to use De-Mail very straightforward. In addition, you don't have to install any other software to use De-Mail. If your De-Mail provider has this option enabled, you can also use De-Mail via a common e-mail program. Please contact your provider for information and detailed instructions on how to do this.

Companies and public institutions often use their own e-mail servers and programs for sending electronic correspondence. They don't have to stop doing this either: these systems can be connected to the De-Mail service via a gateway. This means that e-mail clients being used at that time can continue to be used as usual.

Registration and identification

To use the De-Mail service, you need a De-Mail account and e-mail address. This address must clearly show that it is a De-Mail address,e.g. name.surname@your_de-mail-provider.de.

You receive the De-Mail address by registering for a De-Mail account with the De-Mail provider of your choice. Your identity is verified following registration. This is one of the major advantages of De-Mail: nobody can hide behind a fake identity, as only users with a verified identity can send and receive De-Mails.

Your identity is verified using a method specified by the De-Mail provider. An authorised representative of the provider will personally check and confirm your identity using your identity card or passport. In addition, your De-Mail provider can also identify you by using the eID function of your identity card or electronic residence permit. Information on the ID card is available under the menu item "ID card". Once you have successfully completed registration and identification, your De-Mail account will be activated and you will receive your login details.

Login procedure

You must be logged in to your De-Mail account to send or read a De-Mail. In terms of login options, you can choose between two methods which correspond to different security levels and enable different actions in the De-Mail account.

To use the "normal" security level, logging in with a username and password is enough. In this case, we are referring to authentication using knowledge. To use the "high" security level, you use a token as well as the username and password, i.e. an object that is in your possession.

This is known as two-factor authentication by knowledge (username/password) and possession (token). Different manufacturers offer different types of tokens:

• Chip card with the eID function, e.g. the identity card in standard bank card format or a signature card,
• USB flash drive with a PIN or password-protected authentication function,
• One-time password (OTP) generator, which you can use to request a password that you can only use for one login.

The specific token you use for authentication depends on your De-Mail provider and your own personal preferences.

Mailbox and delivery service

In the De-Mail structure, you can only send correspondence to people and companies who also have a De-Mail address. This ensures you are always communicating with a clearly identifiable partner. You do not need to be registered with the same De-Mail provider as the addressee of your De-Mail. You cannot successfully reach addressees without a De-Mail account via the service, as De-Mail is a self-contained system.
If you want to communicate by e-mail with addressees that do not have a De-Mail account, you can do so using a standard e-mail account.

You can choose from several options when sending a De-Mail.

When using the standard delivery option, the De-Mail is protected against loss of confidentiality as well as changes to the message content and the metadata (e.g. sender address, sending time, sending method).

In addition, you can choose between several delivery types which you can even combine:

• Sent confirmation: your delivery service confirms that the De-Mail has been sent.
• Confirmation of receipt: the recipient's mailbox service confirms receipt of the De-Mail message to you and the recipient.

To confirm this, the De-Mail provider sends you a qualified electronically signed confirmation of when and to who you sent the De-Mail, or when the message arrived in the recipient's mailbox. This provides you with reliable proof of your electronically transmitted message at any time.

In addition, there are other delivery types available if you have logged on to your De-Mail account via the high security level (possession and knowledge):

• Personal: the recipient can only read your message if they have also logged in via the high security level login.
• Authoritative: this option confirms that you have logged in via the high security level before sending.

Mailbox and delivery service procedure:

1. Sending of De-Mail using the delivery option sent and receipt confirmation via encrypted channel to provider A
2. Provider A issues a signed sent confirmation for Hans Meier
3. Provider A transmits the encrypted and change protected message to Provider B
4. Provider B delivers the message to the recipient Uwe Schulz
5. Provider B issues a signed confirmation of receipt to both Hans Meier and Uwe Schulz

Transport encryption

Each De-Mail is encrypted during transmission

• between the sender and their De-Mail provider and
• between two De-Mail providers and
• between the De-Mail provider and the recipient

.

This is known as transport encryption and protects the De-Mail from unauthorised access.

When the De-Mail reaches the De-Mail provider, the message is decrypted. The data is then unencrypted for a brief moment. During this short space of time, the De-Mail is checked for malware (e.g. viruses and Trojans). If the system detects malware, it warns the recipient by marking the message. This check is performed automatically on servers in the provider's data centres, which comply with the strict specifications of the BSI. Under no circumstances do employees of the De-Mail provider have access to the decrypted message.

Transport encryption procedure:

1. Drafting of the De-Mail
2. Creation of an encrypted channel and sending of the De-Mail
3. Brief, automated decryption for checking (spam, viruses, De-Mail metadata)
4. Encryption of the De-Mail
5. Creation of an encrypted channel and transmission of the De-Mail to the recipient's provider
6. Brief, automated decryption for checking (spam, viruses, integrity)
7. Storing De-Mail in the mailbox of the recipient
8. Decryption of the De-Mail and transmission via an encrypted channel
9. De-Mail displayed

End-to-end encryption

If you are dealing with particularly sensitive messages, the contents of the De-Mail can be encrypted in addition to the transport channel. In order to be able to use this end-to-end encryption feature, you and the recipient of your message need to have suitable encryption software installed on your own computers.

You use this software to personally encrypt your De-Mail before sending it. It is only decrypted by the recipient on their computer. However, this means that an automatic check for malware cannot be performed, as the De-Mail provider cannot access the message contents.

The use of end-to-end encryption is made easier by a directory service which all De-Mail providers must provide. The recipient of your De-Mail can store their public key here, which you use to encrypt your De-Mail. To decrypt your De-Mail, the recipient then uses their private key that is only known to them.

De-Mail providers make end-to-end encryption easier for you with free add-ons that you can easily use even without any experience. The add-ons use the globally recognised "Pretty Good Privacy" (PGP) standard and are used in the normal browser interface of the De-Mail account.

Directory service for De-Mail addresses

The directory service for De-Mail addresses works like a phone book of sorts and is maintained by De-Mail providers for their customers. Every user can optionally publish their De-Mail address and other contact data there. The public key for end-to-end encryption is also stored in this directory. The provider must not include your data in the directory without your consent.

If you don't know the De-Mail address of the recipient of your message, run a search query in the directory service of your provider. The provider will then search for the requested address in all directory services in the De-Mail network.

Blocking your De-Mail account

If your login details for your De-Mail account have fallen into the wrong hands, you can have the account blocked at any time by calling your De-Mail provider's hotline. You can get the hotline number from your provider.

If incorrect authentication data is entered multiple times, the De-Mail account will be blocked automatically. This means your account is protected from access by unauthorised persons.

Further information

If you have any further questions about De-Mail or information security, please contact the BSI.

The latest information is available to private individuals, companies and public institutions at www.de-mail.de. The De-Mail Information Portal provides information on the various options for using De-Mail for communication with companies and public authorities.