Compliance · BSI
BSI TR-03108 and secure email transport.
The BSI's Technical Guideline defines minimum requirements for email transport security. Here you can see which requirements Mailantis meets directly — and where you need to take additional action.
BSI TR-03108 · M3.1
TLS enforcement satisfied
- MTA-STS
- mode=enforce · max_age=1 week
- TLS-RPT
- active · rua=mailto:[email protected]
- DANE
- provider-dependent (e.g. deSEC)
- Cert expires
- Aug 9, 2026 (82 days)
_mta-sts.demo-kunde.at TXT "v=STSv1; id=20260318094215Z"
Context
What TR-03108 is about
BSI TR-03108 "Secure Email Transport" is the authoritative guideline of the German Federal Office for Information Security. It describes detailed requirements for Mail Transfer Agents (MTAs) that must cover "high" or "very high" protection needs.
While the guideline is primarily aimed at mail server operators, its application has broadened in practice: many KRITIS audits and government procurements explicitly reference TR-03108 as the target standard.
The main pillars are mandatory TLS encryption, MTA-STS in mode=enforce, DANE on DNSSEC-enabled zones, and correctly configured DMARC, SPF and DKIM records — exactly the area Mailantis covers.
Mapping table
TR-03108 requirement ↔ Mailantis feature
| Section | Requirement (short form) | Mailantis feature | Status |
|---|---|---|---|
| §3.1 | TLS 1.2+ for inbound and outbound SMTP connections | TLS-RPT aggregator detects non-compliant connections | met (monitoring) |
| §3.3 | MTA-STS policy in mode=enforce | Policy hosting on EU CDN, wizard testing → enforce | met |
| §3.4 | DANE validation where DNSSEC is available | DNSSEC status check, DANE recommendation in audit | partial (DNS provider) |
| §4.1 | SPF record syntactically correct, < 10 lookups | Lookup counter, include tree, drift detection | met |
| §4.2 | DKIM signature, RSA ≥ 2048 or Ed25519 | Multi-selector audit, key-length check, rotation reminder | met |
| §4.3 | DMARC policy at least p=quarantine | Policy wizard with tightening over 4 phases | met |
| §5 | Reporting and auditability | PDF reports, audit log, configuration history | met |
| §6 | Vulnerability management | Continuous monitoring, alert engine on drift | met |
Note on §3.4 (DANE): DANE assumes a DNSSEC-signed zone. Signing is done at your DNS provider (provider-dependent — e.g. deSEC supports DNSSEC, many large CDN providers don't). Mailantis monitors the status and provides recommendations — DNSSEC activation itself is outside our scope. Note on §3.1 (TLS): Mailantis does not operate an MTA itself — TLS operations sit with your mail provider (M365, Google, your own server). We monitor the incoming reports via TLS-RPT.
FAQ
Common BSI TR-03108 questions
What exactly is BSI TR-03108?
A technical guideline of the BSI (German Federal Office for Information Security) for secure email transport. Mandatory for public authorities and KRITIS operators, recommended for any organisation with elevated protection needs. Current version 1.0.4 (2024).
Who must implement TR-03108?
German federal authorities, KRITIS operators within the scope of the BSI Act, and contractors of the public sector. Recommended for banks, insurers, healthcare, energy.
What minimum requirements does TR-03108 place on MTAs?
TLS 1.2+ for inbound and outbound connections, MTA-STS policy in mode=enforce, DANE validation where DNSSEC is available, DMARC with p=quarantine or stricter, correct SPF and DKIM records.
Does Mailantis fully meet TR-03108?
Mailantis meets the DNS/DMARC/SPF/DKIM/MTA-STS requirements. The DANE requirement assumes DNSSEC — Mailantis monitors the DNSSEC status, but signing itself lies with your DNS provider.
Is Mailantis BSI-certified?
Mailantis itself is not BSI-certified (which would be a product certification). We help you meet the TR-03108 requirements for your domain — certification of the authority concerns the operator, not the software.
BSI-compliant email transport.
MTA-STS hosting + DMARC wizard + reporting in one package.