New security certificates

Created on 17. January 2017, 10:00 | Category: Info

Dear Posteo users,

In the coming days we will be updating our security certificates. Security certificates are only valid for a specified time period and need to be renewed from time to time. We will therefore be changing them by 22.01.2017. We continue to use certificates from Geotrust and the Bundesdruckerei (D-Trust).

In most cases you will not notice anything when the certificates are changed over. All programs such as Thunderbird or Outlook will find the new certificate automatically. You do not need to do anything. If your program displays a certificate error during the changeover process, please simply restart the program, which should overcome the error.

If you check the trustworthiness of certificates manually, you can find the fingerprints for the new certificates that we will shortly begin using, below. You can also find the fingerprints in our legal notice.

New fingerprints for TLS security certificates

SHA256: 30:2A:06:B8:CF:A8:5B:93:66:5A:44:66:E2:BB:84:05:FE:80:95:3F:5A:FE:D1:08:DB:3B:B0:0D:7C:42:B4:39
SHA1: BD:16:71:84:B0:B1:40:D9:0A:65:99:8C:E6:7B:01:D6:AA:5B:8B:67
MD5: 55:F5:81:51:91:CD:88:64:14:D5:AA:E2:D5:2E:2C:AB

SHA256: 06:48:D6:E4:D3:79:42:79:81:77:0F:49:88:43:D7:65:EE:A8:6F:1F:12:6F:72:11:8F:A9:4C:A9:66:34:FE:B5
SHA1: 79:DB:A0:A9:57:D9:30:FA:EF:5F:72:69:FB:1B:EA:06:90:27:9F:4D
MD5: DA:59:74:62:7C:D1:12:4E:15:41:25:37:9B:56:D0:58

Best regards,

The Posteo team

Posteo becomes the first provider to receive a certificate for secure sending of emails

Created on 08. December 2016, 18:40 | Category: Info

Dear Posteo users and interested parties,

At Posteo it is especially important to us that you can securely send and receive emails. Today there is news on this front: We have become the first provider to receive a certificate for the new “secure email transport” technical guidelines by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, henceforth BSI). The goal of the BSI is to promote IT security.

The certificate was today awarded to us by the certifying authority “datenschutz cert”. Representatives of the BSI were also present. Via the certificate on our website, you can now identify that our security measures have been independently checked and proven to conform to BSI requirements.

Thomas Gast (BSI), Thomas Gilles (BSI), Ralf von Rahden (datenschutz cert), Patrik Löhr (Posteo), Florian Bierhoff (BSI)

The new technical guidelines detail the measures that an email service is to undertake in order to actively protect emails from unauthorised third parties during their transport. Email providers need to implement DANE if they wish to receive certification. DANE overcomes various weaknesses in the commonly-used transport route encryption, TLS. Among other things, DANE prevents so-called man-in-the-middle attacks, in which an attacker latches onto a communication process, annulling the encryption. In 2014, Posteo became the first provider to implement DANE. Since then we have committed ourselves to the dissemination of this new technology, which is pioneering in the confidentiality of digital communication. Thus our users can not only securely communicate with one another, but also with the users of other email services. We were therefore especially pleased that the free standard DANE has become necessary for the certification.

Since 2014 we have been engaged in a working group together with other email providers involved in a dialogue with the BSI that led to the formation of the technical guidelines. We pushed for high security requirements and simple implementation.

We frequently criticise authorities when things don’t work in practice, for example, in our transparency reports. On the other hand, we welcome the BSI’s new guidelines for secure email transport. The BSI was especially interested in working together with the providers to design the guidelines with a practical orientation. The guidelines correlate with the highest security requirements and the certification is also implementable in terms of the time and money involved for smaller providers such as Posteo.

New certificate identifies secure email services

In our view, the fact that claims made by email providers about their security measures can now be evaluated by independent authorities also constitutes great progress for users. From now on, users can identify whether a service has been proven to fulfil the criteria in the guidelines via the certificates on the providers’ websites. The logo with text “BSI TR-03108 zertifiziert” indicates the corresponding guidelines.

The BSI guidelines do not constitute a legal requirement, but rather recommend security measures to email providers. Providers that wish to receive a corresponding certificate need to prove that they fulfil all requirements set out.

Certification is undertaken by an independent body – Posteo was certified by datenschutz cert. Certification occurs entirely remotely, checking the email service’s public interfaces. Other email providers and services such as those of companies or universities, for example, can now register to be evaluated according to the technical guidelines. We hope that the guidelines further increase dissemination of the recommended security technology. High common standards also increase the level of security for emails that you send to contacts that use other email providers. Thus communication becomes more secure overall.

Best regards,

The Posteo team

Additional information for those with technical interests:

- The technical guidelines can be found on the BSI website,
- Posteo has used DANE since May 2014. You can read more about DANE here.
- End-to-end encryption does not render transport route encryption redundant. End-to-end encryption generally only protects the content of your communication, but not metadata such as the subject field and information as to who is communicating with whom. Transport route encryption with TLS protects the content as well as the metadata for emails on their way across the internet. DANE additionally secures this encryption. End-to-end encryption is always in the hands of the users, because no-one else can have access to the private keys. We recommend combining end-to-end encryption with strong transport route encryption on the provider’s side.

New: Webmail interface displays servers with the highest sending security

Created on 18. August 2016, 17:00 | Category: Info

Dear Posteo users,

We have just released a new feature for you: Our webmail interface now shows you which of your contacts you can send to with the optimal security of DANE technology. This can be recognised by a small, green DANE symbol above an email address.

For us, the new DANE display is something very special. When we introduced this new piece of security technology in May 2014, Posteo was according to the first provider worldwide to support DANE. Many IT experts were unsure at that time whether the new technology would become established. In the meantime, this has changed – it is now worthwhile displaying whether another server supports DANE: We now transfer emails to many email servers worldwide using DANE as standard, including large email providers such as 1&1 (as well as, GMX and and Comcast.

The technology is becoming widespread for good reason: DANE eliminates various weaknesses in the widely used transport route encryption between servers – STARTTLS, and increases security of the encrypted transport of emails. Without DANE, encryption would not be “forced”, for example, but instead newly-negotiated for each connection between the email servers involved. With DANE, email servers communicating with one another must encrypt every connection. If the encryption is disrupted or the communication is subject to an attack, the email will not be sent. Servers that are capable of DANE also undertake a check of their security certificates prior to sending – in a process similar to an ID check. This ensures that the other server is in fact the “actual target” of the communication and not a so-called man-in-the-middle placed in between. With DANE, encrypted sending can be ensured in advance, which is why we are providing a DANE status display in the webmail interface. In summary, for you the new display means that if you see the symbol displayed, your email is guaranteed to be transferred to that recipient with DANE. Firstly, it will be sent over an encrypted transport route, and secondly, it will be sent to the actual, legitimate recipient.

Tip: The TLS-sending guarantee also protects you for servers without DANE

If the DANE symbol is not displayed for an address, then the receiving server does not yet support DANE. Examples of large providers that do not yet support DANE include Gmail and Yahoo.

These do support encrypted connections between email servers. Without DANE, however, in case of interruptions or attacks as described above, unencrypted connections can occur. This the case anew for every single email. Without DANE, therefore, no serious assertion can be made about the security of a connection between two email servers.

Here is an important tip for you: With Posteo, you can categorically prevent sending without TLS.

Activate your personal TLS-sending guarantee in your account settings

This ensures that the transport route for your emails is guaranteed to be encrypted with TLS, even to servers that do not support DANE. If you activate the TLS-sending guarantee, we will only send your email when the message can be sent with encryption. If secure sending over an encrypted connection is not possible, sending of the email will not occur – and you receive a notification from us. Therefore, if an unauthorised third party attacks a secure connection wanting to force an unencrypted connection, sending will be prevented.

Best regards,

The Posteo team

Related reading: Why does Posteo display the DANE status but not the TLS status?

Kindle, GOP etc: What to do with insecure email servers

Created on 28. July 2016, 17:00 | Category: Blog

Dear Posteo users,

In the last few days we have received a lot of positive feedback on our new TLS-sending guarantee, for which we would like to say thank you. We’re very pleased about how well the new security feature is being adopted. Within just a few days more than 20% of our users have activated the new feature. With the TLS-sending guarantee activated, your emails are only sent if they can be transferred to the recipient over an encrypted transport route. Because we are currently receiving a lot of queries, we will here look at some insecure email servers and show what options are available when sending is stopped.

First, here is an example, which we are receiving many enquiries about: Amazon “”.

The email servers for the commonly-used domain “” are in fact not secure. Even three years after the NSA scandal, the domain still does not support TLS encryption when receiving emails. Our tests confirm this. We have received numerous queries about the security of “” from users with the TLS-sending guarantee activated. In our view, the lacking TLS support presents a large problem, because customers use “” addresses to send their own documents to their Kindles. Amazon describes this feature as follows: “Kindle customers can send documents to their registered Kindle devices, free Kindle reading applications, and their Kindle Library in the Amazon Cloud by e-mailing them to their Send-to-Kindle e-mail address”

It appears that Amazon domains are not generally affected.


The current configuration of “” is insecure and presents a security risk. Whether you wish to continue sending sensitive data to “” addresses is your own personal decision. If desired, you could temporarily disable the TLS-sending guarantee in order to send. Please note, however, that due to the lacking security of, these communications can be read by unauthorised third parties such as criminals and intelligence services. For privacy reasons, you should not send other people’s data to addresses – the others should be able to decide this for themselves.
We have no influence over Amazon’s IT. You could contact Amazon directly. It is generally not especially difficult for administrators of email services to activate TLS encryption on their servers. We assume that the domain will soon be secured if complaints arrive, as the lacking security constitutes a grave security risk. You would then once again be able to send emails to addresses with the TLS-sending guarantee activated.

No encryption for GOP (Republican National Committee), the University of Oxford or Ryanair either

We are asking all users who have contacted us regarding email servers that are not capable of TLS encryption such as,,,,,, and other domains (listed below) to decide in each individual case whether they wish to send an email to the insecure email system. For all servers that are not capable of TLS, communicating with these outdated email systems is insecure.

When sending is stopped, you have the following options:
- You can inform the recipient (if desired, using an alternative contact method) that securely sending an email to their address is not possible and ask them to provide an alternative email address.
- You can temporarily deactivate the Posteo TLS-sending guarantee and send the email securely, by furnishing it with end-to-end encryption.
- You can temporarily deactivate the TLS-sending guarantee and send the email unencrypted/insecurely, as an exception.

Ask the domain holders for better security

If you would like to, you could contact the holder of a domain to ask them to activate TLS encryption on their servers. By doing this, you contribute to achieving an improved overall security of email traffic.
Overall, it can be said that these days, mainly only outdated and poorly-maintained email servers do not support TLS. If you activate the TLS-sending guarantee, it will generally only rarely occur that one of your emails is not sent for security reasons.

Last of all, we have collated a list of examples of commonly-used email domains that astonishingly do not yet support TLS, about which we have received queries during the last few days:

- Amazon Kindle:
- Microsoft:
- United Nations Office at Geneva:
- University of Oxford:
- Yahoo! Japan:
- Melia Hotels:
- Kodak Pulse “Email pictures to the display”:
- Germanwings:
- eBay:
- German American Chamber of Commerce:
- Pacific National Bank:
- Ryanair:
- Voyages SNCF:
- Republican National Committee:

Best regards,

The Posteo team

New: TLS-sending guarantee for additional security

Created on 13. July 2016, 15:45 | Category: Info

Dear Posteo users,

Today we have made a new, important feature available to you – our TLS-sending guarantee. This new security feature protects you from sending emails to insecure systems. You can now activate the new feature in the settings of your account.

Emails need to be transferred over encrypted connections so that criminals and intelligence services can not read them in an unauthorised manner. Three years after the NSA scandal, transport route encryption (TLS) has as a result become commonplace: All large email providers have now activated it on their systems. But what about the email systems to which you frequently send everyday emails or work-related emails? Prior to sending an email, it is not visible to the user whether the email systems used by business partners, doctors, clubs or schools support secure connections. Our systems, on the other hand, recognise this. Before sending each and every email, Posteo attempts to create an encrypted connection with the other email server in order to achieve secure sending.

If secure sending is not possible, the transfer is stopped
This is exactly where our new TLS-sending guarantee comes in: If you activate this security feature, we will only send your emails when the message can be securely delivered to the recipient. If secure sending over an encrypted connection is not possible, transfer of the email will be stopped – and you receive a notification from us. Sending is also stopped if an unauthorised third party attacks a secure connection, wanting to force an unencrypted connection.

If we notify you that sending was stopped, you can then decide yourself whether you would still like to send your message to the insecure system. To do this you can temporarily deactivate the TLS-sending guarantee and send your message (as an exception) without TLS. We designed the new feature as practically as possible: Whether you access your emails with a smartphone, in the webmail interface or in local email programs such as Outlook or Thunderbird, makes no difference. Each sending of an email undergoes our TLS security test. If you send an email to multiple recipients, sending is only stopped for those recipients to which the email can not be securely transferred. You are then notified by us via email as to which recipients were affected.

New security test before each email is sent
The new feature affords you additional clarity: You always find out about your contacts’ current communication security. For security reasons, a new TLS check occurs before sending every email, even for known recipients. Thus we ensure that your emails are not sent insecurely if a server is temporarily incapable of TLS, for example, due to technical problems or an attack.

You can now activate the TLS-sending guarantee in the settings of your Posteo account under “Settings” → “My account” → “Transport route encryption”. In our help section we have prepared an article on the new TLS-sending guarantee. There you can find out how to activate and deactivate the feature and how to proceed when the sending of an email to an insecure email server is stopped.

Additional information for IT pros:
- The TLS-sending guarantee prevents downgrade attacks, whose goal is to revert to unencrypted connections.
- Outdated and insecure encryption protocols such as SSLv3 or RC4 will not be tolerated: These also cause a stop on sending.
- Man-in-the-middle attacks are made more difficult and are always prevented if, like Posteo, the receiving server also uses DANE.

More about encryption at Posteo
Transport route encryption is one building block in our innovative encryption model. On our Encryption info page you can also learn about our other features: Here you discover, for example, how you can conveniently encrypt all saved data at the click of a button (crypto mail storage, address book and calendar encryption). We also inform about how we encrypt each access and all sensitive data, and present our end-to-end encryption features (key directory, PGP in the webmail interface, and more).

Best regards,

The Posteo team