Critical Vectors of Dependence: E-mail, Certificates and CDNs

Technological dependence is not always measured in percentages of hardware. Often, it lies in the control over daily operational tools. 

To better understand the vulnerabilities, Art Resilia’s study specifically evaluated critical vectors of dependence: e-mail services, which have expanded far beyond their original purpose. Nowadays it acts as a platform for knowledge transfer, chat services, and procedural control. This ubiquitous nature makes e-mail indispensable but also a significant vector of risk.

The E-mail Paradox

E-mail services have evolved beyond simple messaging to become the knowledge base and control system for modern organizations. Therefore, control over this infrastructure is paramount.

The analysis of e-mail infrastructure location (MX/SPF records) highlights where communications are geographically stored and managed:

• Global View: 55.2% of domains utilise e-mail services operated or hosted within national territory. However, the United States emerges as the dominant external location, supporting 34.7% of domains. 
• Public Sector Exposure: Among public sector domains, 53.4% rely on services operated in Portugal, but a significant 44.2% use e-mail infrastructure located predominantly in the United States. 
• Private Sector Externalization: The private sector shows a slightly lower reliance on the US but still reveals accentuated externalization of corporate e-mail infrastructure. 

This reliance means the protection, confidentiality, and integrity of institutional communications are often subject to US legislation, such as the CLOUD Act, a clear indicator of limited control.

CDN and Certificate Concentration

Digital resilience requires control over the mechanisms that secure and deliver data. The findings related to CDNs and SSL/TLS certificates highlight a critical centralisation risk:

1. CDN Failure: A Resilience Gap:

• Low Adoption: A vast majority (80.7%) of analysed assets do not use CDNs. This represents a clear security and performance gap, increasing exposure to threats like Distributed Denial of Service (DDoS) attacks.
• Exclusive US Dependency: For the minority that does use CDNs, all solutions are proprietary and headquartered in the US. This 100% external dependence on a single jurisdiction raises serious concerns about data sovereignty and service continuity.

2. SSL/TLS Certificates (SMTP):

The security landscape for e-mail services (SMTP) utilising active SSL encryption presents a deeply concerning picture of external dependency. This critical vector of digital communication (e.g., Let’s Encrypt, Google, Sectigo, DigiCert), raises questions about the integrity, confidentiality, and availability of institutional electronic communications.

Crucially, the security of e-mail services (SMTP) relies significantly on providers subject to US jurisdiction (Google, DigiCert, Sectigo). This centralisation compromises Portugal’s digital sovereignty by making critical state and corporate communications vulnerable to external legal and political influences.

The evidence points to an ongoing need to diversify providers, invest in local or open-source solutions, and aggressively promote policies that ensure Portugal has sovereign control over the critical tools that underpin national communication and data delivery.

Join the conversation and stay tuned for our next analysis.

Read More: 

• New Age of Autonomy: Mapping Portugal’s Digital Sovereignty
• Portugal’s (Open Source) Advantage: Software Paradox
• 5% Barrier: Digital Assets and Foreign Dependency