Overview
- Germany’s cybersecurity agency published guidance urging Security by Design and Security by Default in webmail, calling on major providers such as Gmail, GMX, web.de and Hotmail to assume primary responsibility.
- Default strong authentication is urged, including mandatory two‑factor authentication or passkeys, alongside modern password policies and rate limiting for login attempts.
- The paper calls for integrated, interoperable end‑to‑end encryption in webmail using OpenPGP or S/MIME with automated key generation and management and public‑key discovery via WKD, plus transport security through DANE or MTA‑STS.
- Effective anti‑spam and anti‑phishing should run in the backend using SPF, DKIM and DMARC, complemented by clear warnings, easy user reporting and corrections of misclassifications.
- Secure, auditable account‑recovery flows are recommended, with optional identity proofing at signup and transparent security profiles and trust models, while legal mandates are not announced and implementation by providers remains pending.