Email test on Internet.nl extended

July 16, 2018

Is your domain configured in a way that mail spoofing is actively prevented? Does your mail server offer proper transport encryption? As of today you can test both aspects with the new version of Internet.nl that has been published by the Dutch Internet Standards Platform.

Spoofing prevention

Spoofing of email is a common attack vector where an attacker sends an email from someone else's mail address. This technique is for example often used to phish for passwords or other valuable information. This can be prevented with authenticity marks based on the standards DMARC, DKIM and SPF. It is important to set a sufficiently strict policy when using these, i.e. p=quarantine or p=reject for DMARC and ~all or -all for SPF. This was already tested by Internet.nl but as of today these will weigh in the score, as was already announced in the beginning of this year.

Secure mail server connections

E-mail in transit that is not encrypted, can be eavesdropped by attackers. The STARTTLS standard prevents passive attackers from reading emails in transit. In addition DANE protects against active attackers stripping STARTTLS encryption by manipulating the mail traffic. Internet.nl already checked for these standards. In this new version of Internet.nl this test is conformant with the factsheet "Secure the connections of mail servers" from the Dutch National Cyber Security Centre (NCSC). Furthermore the test results now weigh in the score.

About Internet.nl

Internet.nl helps you to check whether your internet is up to date, i.e. if your website, email and internet connection use modern and reliable Internet Standards. The website Internet.nl is an initiative of the Dutch Internet Standards Platform. The platform is a collaboration between partners from the internet community and the Dutch government. ECP provides for the administrative home of the platform. Open Netlabs / NLnet Labs is responsible for the technical implementation of the Internet.nl website


Release notes:

  • New features:
    • Email test is now conformant with NCSC guidelines (TLS+DANE are scored);
    • Test for Denial of Existence when checking DANE;
    • Introduce the DANE rollover scheme test;
    • Anonymize IPs and reverse names in the connection test;
    • Revised privacy statement;
  • Changes:
    • Weight HSTS and DMARC/SPF policies;
    • Intermediate screen now only shows the status of the test running instead of results when it is finished;
    • Display DANE records in test details;
    • New icon for test results with 'optional' requirement level;
    • Use "ALL" ciphers when testing HTTP features (not for the TLS tests);
    • Old results that no longer can be rendered in the UI, cause the retest of the domain and show new results;
    • Several content improvements;
  • Bug fixes:
    • Now we parse only the first HSTS header;
    • Miscalculation on the nameserver test when a nameserver had no address;
    • A bogus DANE record now results in warning instead of an error for the website test as it has no impact on the score;
    • Several UI fixes.