NTA 7516 List of Requirements
Please see the List of NTA 7516 requirements (Dutch) for details.
Cryptshare for NTA 7516 consists of several components: Cryptshare for Outlook on the client, your existing mail server and the Cryptshare Mail Gateway. Each of the components is involved in the NTA 7516 compliant delivery or receipt of an email and must be configured accordingly. In addition, a specific DNS configuration is required. It is recommended to setup the components in this order:
- Installation of Cryptshare Mail Gateway
- Configuration of Cryptshare for Outlook
- Configuration of the Mail Server
- DNS Setup
Outgoing email (option A)
If the sender decides to send a regular email, the mail server or, alternatively, the spam/virus filter forwards it to the foreign mail Server directly.
If the sender decides to send a confidential email according to NTA 7516, they do so by using Protective Email Classification in Cryptshare for Outlook.
This marks the message with a header detected by the mail server and therefore forwarded to the Cryptshare Mail Gateway component, which runs on a separate server (see System Requirements).
This leads to the application of special delivery rules, such as using DANE and enforced TLS during sending.
Outgoing email (option B)
All regular emails and NTA emails are processed by the Cryptshare Mail Gateway component, which runs on a separate server (see System Requirements). Regular email with no special confidentiality requirements is just forwarded to the receiving Forgeign Mail Server.
Incoming regular email bypasses the Cryptshare Mail Gateway and is delivered directly to the mail server or Spam/Virus Filter, as without Cryptshare for NTA 7516. This is because the Cryptshare Mail Gateway has stronger security demands on incoming connections due to NTA 7516, which cannot be fullfilled by every sending foreign mail server. This means in particular that the MX record(s) will not need to be modified.
Incoming email that is sent using an NTA 7516 compliant procedure needs to be delivered to the Cryptshare Mail Gateway, as this is capable of the required security measures, such as DANE, DKIM, and DMARC.
In this case, the sending side determines the target host using a special DNS TXT record that follows a certain convention that all NTA 7516 compliant email products are able to interpret.