The NTA 7516 standard and its accompanying technical guideline describe a large number of measures that an organization must take to safely use email for the exchange of personal health information. Securing an organization’s domain name system (DNS) by enabling DNSSEC is one of these required measures to enable interoperability between email services. DNSSEC is also one of the mandatory standards on the ‘comply or explain list’ of Forum Standaardisatie.

What is DNS?

DNS is an essential part of the internet. When you enter a domain name in a browser, for example www.zivver.com, DNS is used to look up the correct IP address of the server hosting the website (a so-called lookup). The browser then retrieves the webpage from that server and displays it. DNS is also used to look up the IP addresses of the servers that receive email for a specific organization, the so-called mail servers.

What is DNSSEC?

DNSSEC is an extension to DNS that makes this older protocol more secure. With DNS without DNSSEC, it is possible for malicious parties to influence lookups and return incorrect information (so-called cache poisoning or ‘man-in-the-middle’ attacks). For example, a lookup for www.zivver.com could return an incorrect IP address. In the case of email, this could result in messages being delivered to the wrong server, allowing unauthorized parties to read the email content. DNSSEC prevents this type of manipulation.

How do I enable DNSSEC?

Securing the DNS server of your domain is only possible if you have your own domain name. If you use a free (shared) email service (for example @gmail.com or @outlook.com), you cannot receive secure email in accordance with NTA 7516. In that case, you also do not comply with applicable information security laws and regulations when sending personal health information using these email addresses. It is therefore strongly recommended to use your own domain name and link it to a secure email service.

If you do have your own domain name, it may already be secured with DNSSEC. Currently, over 60% of Dutch domain names have DNSSEC enabled. You can check whether DNSSEC is active for your domain via https://en.internet.nl/test-mail/. Enter the domain of your email address (everything after the @ sign) at the bottom of the page and click Start test. If both shields under Signed domain names (DNSSEC) > Email address domain are green, your domain meets this security standard.

Does your domain not yet support DNSSEC? Most domain providers (registrars) allow you to enable this. If you do not know who your registrar is, visit https://www.sidn.nl/en/whois. Enter your domain name at the top of the page and click Check. On the next page, click Show me details. Under the Registrar section, you will see which provider your domain name is registered with. You can then visit the provider’s website and search for DNSSEC or contact their support desk.

If your registrar does not support DNSSEC, transferring your domain name to another registrar is the only way to meet the NTA 7516 interoperability requirement. This process is relatively simple and usually costs only a few euros. Most registrars provide clear instructions on their websites. Make sure that your new registrar does support DNSSEC.

After enabling DNSSEC or transferring your domain name, always verify that the change was successful by running the above check again.

More information

For more information about DNSSEC, registrars, and related topics, visit the SIDN website.