Germany identifies a secure way to deal with spam

By demanding real-world identification from senders, a new German mail system may stop spam

In theory, stopping spam is easy: just make it uneconomic to send millions of messages by charging for each one sent, or make senders authenticate their identity to stop address spoofing and simplify blocking.

In practice, that would involve building a secure, parallel e-mail infrastructure linking electronic authentication with real-world identities: a daunting task. Yet that's just what Germany is about to do.

De-mail -- a play on the country-code abbreviation for Deutschland (Germany) and the word e-mail -- is a government-backed service in which all messages will be encrypted and digitally signed so they cannot be intercepted or modified in transit. Businesses and individuals wanting to send or receive De-mail messages will have to prove their real-world identity and associate that with a new De-mail address from a government-approved service provider. The service will be enabled by a new law that the government expects will be in force by the end of this month. It will allow service providers to charge for sending messages if they wish.

Eliminating spam is not the primary purpose of De-mail -- in fact, service providers will be legally obliged to deliver every De-mail message, without blocking any, just as the postal service is not supposed to throw away your mail.

But the proportion of spam in De-mail is likely to be much lower than in regular Internet e-mail, of which 77.6 percent was spam in January, according to Kaspersky Labs. That's because De-mail's requirement that senders identify themselves will make it riskier to promote fake pharmaceuticals and illegal pyramid investment schemes, while any charges to send messages will make spamming less profitable.

The identity requirement will also make it easy for recipients to filter and block unwanted De-mail messages -- there is no legal obligation to read them, after all. Filtering is also possible with regular Internet e-mail, but less reliable because of the possibility of address spoofing.

Messages sent through the De-mail service will have the same legal protection and status as paper mail, making it possible to send the equivalent of recorded delivery mail and obtain a legally valid receipt.

On the technical side, De-mail will use existing Internet standards, carrying messages over encrypted connections between dedicated SMTP (Simple Mail Transfer Protocol) servers that only communicate among themselves, isolated from regular Internet mail servers. The law will require De-mail service providers to comply with strict technical specifications and to pass regular security audits.

Telecommunications operator Deutsche Telekom, corporate e-mail provider Mentana Claimsoft and Internet service provider United Internet (owner of the brands GMX and 1&1) are promoting the future service at the Cebit trade show in Hanover, Germany, this week, as is the German Ministry of the Interior, backer of the scheme.

Deutsche Post, the German postal service, has also developed a De-mail service, according to Ministry sources, but Deutsche Post was showing only its ePostBrief secure webmail service, which is already on the market but is not interoperable with De-mail.

None of the De-mail providers exhibiting at Cebit would say exactly how much they planned to charge for the service, although none of them expect the cost to exceed that of a paper letter, currently €0.55 ($US0.75) in Germany. But even at that price, De-mail senders would save by eliminating the cost of paper and printing -- or at least passing it on to recipients wishing to keep a physical copy of a document.

The secure nature of De-mail will allow banks and utilities to push out monthly statements or bills electronically, rather than on paper.

Customers can obtain the same documents from the websites of those organizations today, "but it's a pull process, they have to log in and download all this information," said Jens Mayer, De-mail project leader at Deutsche Telekom.

With De-mail, they'll be able to log in to a single site or service, the same one they use every day, to access bills and statements.

Deutsche Telekom's plan is that De-mail will be just another tab in the webmail interface for customers of its ISP subsidiary, T-Online: "Our philosophy is that De-mail should be as easy as e-mail," Mayer said.

Mentana Claimsoft, meanwhile, wants businesses and government organizations to use their existing Outlook clients and Exchange servers. The company has developed an Outlook plugin to flag authenticated incoming messages with a De-mail icon. Outgoing De-mail messages can go through Exchange too: Mentana Claimsoft will operate secure gateways into the De-mail system, although its customers will remain responsible for the authentication of their users and the security of their internal networks, said Nils Kiehne, an account manager and consultant with Mentana Claimsoft's GovMail division.

For now, De-mail usage will be restricted to German residents and businesses, but other countries could get involved. European Union competition laws require that Germany allow service providers from elsewhere in the E.U. to offer De-mail. And the legal frameworks for similar services elsewhere are starting to appear: only last month, France passed a law defining the technical framework for electronic registered mail.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesantispamapplicationsDeutsche Post1&1 Internetinternetcebitsecuritye-mailMailAccess control and authenticationsoftwareencryptiondeutsche telekomdata protectionMentana-Claimsoft

More about Deutsche PostDeutsche TelekomGMXIDGJensKasperksy LabsKasperskyKasperskyT-Online

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts