Email Security in the Context of Germany’s Digital Sovereignty

As digital threats intensify and geopolitical tensions redefine our understanding of cybersecurity, email security has emerged as a critical battleground for Germany’s digital sovereignty. At the recent eco Internet Security Days (ISD) 2025, I presented how our German Federal Office for Information Security (BSI) is addressing this challenge through our comprehensive “Email Security Year 2025” initiative.

Beyond individual responsibility

The numbers tell a stark story. In 2024, cybercrime caused €179 billion in economic damage in Germany alone. Over 90% of ransomware attacks – the main driver of these losses – began with a malicious email. With 360 billion emails circulating globally each day, we’re essentially facing 360 billion potential attack vectors daily.

This reality has fundamentally shifted our approach at BSI. We can no longer rely solely on telling consumers “don’t click on suspicious links.” While user awareness remains important, this strategy places an unfair burden on individuals who shouldn’t be expected to identify increasingly sophisticated phishing attempts, especially those enhanced by artificial intelligence (AI).

As our BSI President Claudia Plattner stresses: “The best protection against phishing emails is when phishing emails never reach the consumer in the first place.” This principle has become the cornerstone of our infrastructure-focused approach.

Digital sovereignty: A nuanced approach to independence

The concept of digital sovereignty often gets oversimplified in public discourse. At BSI, we don’t advocate for complete digital isolation or the wholesale exclusion of foreign technology providers. Instead, our philosophy centers on “taking back the wheel” – regaining meaningful control over our digital infrastructure while maintaining beneficial international partnerships.

This balanced approach involves several key elements:

• Strengthening European markets for IT security
• Supporting European research and development in cybersecurity
• Building European resilience in digital security
• Fostering intelligent partnerships with international technology providers
• Supporting open-source technology ecosystems

The goal isn’t isolation but rather strategic independence: the ability to make informed decisions about our digital future while maintaining the benefits of global technological cooperation.

The “Email Security Year 2025”: Collaboration over regulation

Our “Email Security Year 2025” initiative represents a fundamentally different approach to cybersecurity policy. Rather than imposing new regulations during a time when businesses already face significant compliance burdens, we chose collaboration over coercion.

The campaign centers on BSI’s technical guidelines for email security, specifically focusing on “Secure Email Transport” (BSI TR-03108) and “Email Authentication” (BSI TR-03182). These cover key protocols such as:

• DNSSEC (Domain Name System Security Extensions – ensures authenticity of domain data)
• DANE (DNS-based Authentication of Named Entities – secures encrypted connections)
• MTA-STS (Mail Transfer Agent – Strict Transport Security – enforces email transfer)

Our initial assessment in February 2025 measured 155 companies and mailbox providers. The results revealed concerning gaps: only 20% had implemented DNSSEC, just 11% had deployed DANE, and just 10% had adopted MTA-STS (see Figure 1 below).

In parallel, we launched an outreach campaign to support companies in improving their email security practices.

The support model: Beyond regulation

Instead of mandating compliance, we developed an extensive support ecosystem. Working closely with partners like the eco Association and Bitkom, we:

• Held individual consultations with hundreds of companies
• Provided detailed technical guidance and how-to materials
• Offered personalized assessments and improvement roadmaps
• Created networking opportunities for best practice sharing
• Established direct technical support channels

This approach proved remarkably effective. Of the approximately 500 companies that we initially contacted, over 120 committed to implementing our technical guidelines. To make this commitment visible, we launched the “Hall of Fame for Email Security” together with eco and Bitkom, publicly recognizing companies with Gold or Silver status. Beyond technical compliance, this strengthens trust in digital services and gives pioneers of secure email a clear competitive edge.

The competitive edge consists of “being on the Hall of Fame” versus “not being on the Hall of Fame.” The Gold status can be achieved if companies commit themselves to take on the DNSSEC/DANE challenge, as this is the path the technical guidelines prefer. We are honoring companies who improve their security with MTA-STS, but this can only be worth silver to us as this is the tolerated alternative to DNSSEC. So we do honor every step towards security, but we have a clear preference which we tried to visualize with the Hall of Fame.

As eco Board Member Prof. Norbert Pohlmann put it: “The companies that are now getting involved are not only strengthening their own brands – they are also making an important contribution to consumer protection. The Hall of Fame recognizes exactly this commitment, which we at eco strongly support.”

Measuring success through collaboration

The results speak to the effectiveness of collaborative approaches to cybersecurity policy. Since the campaign’s launch, we’ve observed significant improvements across multiple security metrics:

• 59% of participating email providers implemented DKIM (DomainKeys Identified Mail) during the campaign
• 21% deployed DMARC (Domain-based Message Authentication, Reporting & Conformance)
• 38% implemented MTA-STS (Mail Transfer Agent – Strict Transport Security)
• 17% established TLS (Transport Layer Security) reporting mechanisms

These improvements represent substantial progress in securing Germany’s email infrastructure, achieved through partnership rather than prescription.

Consumer protection tools

Infrastructure improvements alone aren’t enough. Consumers also need tools for informed decisions about their email security.

Email security checker: 
Our comprehensive tool evaluates providers with more than 80 email products across multiple dimensions – sender address protection (SPF, DKIM, DMARC), protection against eavesdropping (DNSSEC, DANE, MTA-STS, TLS versions), and additional measures. Since launching on August 22nd, 2025, usage has been ten times higher than comparable consumer tools.

Communication campaign: 
Under the banner “Deine E-Mails, dein digitales Zuhause” (Your Emails, Your Digital Home), we developed a multi-channel program with practical guidance on strong passwords, two-factor authentication, and provider selection.

The path forward

Our roadmap through 2025 includes continuous public engagement, expanded business resources, ongoing measurement, and enhanced security standards across Germany’s email infrastructure.

This reflects a broader truth: cybersecurity improvements require ongoing attention, not one-time interventions. The collaborative relationships with industry partners, including the eco Association and Bitkom, form the foundation for long-term progress.

Conclusion: Building Cybernation Deutschland  together

Email security may lack the headline appeal of AI or quantum cryptography, but its importance to digital infrastructure cannot be overstated. Through “Email Security Year 2025,” we’ve shown that ambitious cybersecurity goals can be met through collaboration and shared commitment to digital resilience.

The invitation remains open: join this effort. Whether you’re a business leader, technology provider, or consumer, you have a role in securing our digital future. Together, we can build the resilient, secure, sovereign digital infrastructure Germany needs.

You can contact us at Emailsicherheit@bsi.bund.de

Caroline Krohn is Head of the Digital Consumer Protection at the German Federal Office for Information Security (BSI). In addition, she leads the Dialogue for Cybersecurity, the BSI’s platform for exchange with civil society, and heads the BSI’s annual campaign together with eco Association and Bitkom — “Email Security Year 2025”, which aims to improve the state of email security in Germany.

Before joining the BSI, Ms. Krohn held various positions in business, politics, academia, and civil society — always focusing on cybersecurity, data protection and data security, security and Internet policy, sustainability, and ethics. She studied political science, modern and contemporary history, and philosophy with an emphasis on military studies at the University of Potsdam. Ms. Krohn speaks five languages and grew up in northern Germany with both German and French roots. She is a sought-after speaker and publicist.