Check For TLS From Inside Outlook

Email Security Compliance

With the CheckTLS Outlook Add-In, Outlook checks for TLS encryption when it sends an email. It checks all the addressees (TO:, CC:, BCC:) before sending the email to anyone.

The Add-In satisfies most HIPAA, PCI, GDPR, etc. requirements. It is immediate, at-the-source, email security compliance.

How It Works

When you click the Send button in Outlook, the Add-In automatically runs. It finds all of the unique domains in your list of TO:, CC:, and BCC: addresses and then tests each of them for TLS.

It pops up a window that displays a progress bar and each domain as it tests it. If all the domains are OK, it disappears and lets Outlook send the message.

In most cases that is all you see. When you click Send, a small window appears and then disappears and the email gets sent.

If A Domain Fails

If any domain fails, meaning the email would be sent plain text, it stops and asks you if you want to send the message anyway, go back and change it (to remove the offending addressee or remove any confidential information), or cancel (delete) the message.

If an email has many addressees, meaning lots of domains to test, the pop-up window lets you interrupt the test with the same three choices: send it, change it, or delete it.

Puts A Person In Control

If you have ever replied-all to a group message, only to have a bounce or two come back, you know what this means. When you get a reply-all bounce, you realize that the original message also bounced, so some people never got the original message. The same is true for in-line encryption devices and services. They return a copy of the original email for each addressee that is not secure, and they do nothing to inform the rest of the group that someone(s) did not receive the email.

With this Add-In there are no bounces. You remove the insecure address or remove the confidential information and eliminate the problem before it even happens.

White-List Domains

To speed the test up even more, the Add-In lets you list domains that the test can skip, either because you know they are secure or you don’t care if emails to them are encrypted.

Client / Server

The Add-In uses a client/server model with the CheckTLS website as the back-end, so it does not require port 25 to be open to each PC (something many organizations do not allow), and it allows you to harness the full power of the CheckTLS test suite to define what “has TLS” means for your organization.


You can host a config file on your server(s) to specify the allowed versions of TLS, cipher suites, certificates, white-listed domains, etc.

Is It Safe To Use

The Add-In does not access the content of any email. It does not use email addresses; it only uses the domain part (the part after the "@"). It calls a WebService on our servers, sending only the domain and your authentication (license) information.

The WebService returns an XML document with the TestReceiver score.

We can provide examples of the source code of the WebService call and the return XML document upon request.

Is It Safe to Install

The Add-In uses Microsoft's ClickOnce deployment.

ClickOnce install is very safe.
It requires an authenticode certificate issued to SecurEmail LLC that signs every file in the installation. This certificate is not stored on our web servers, so a security breach of our servers cannot hack your Add-In.

ClickOnce applications uninstall easily and safely.
Windows makes sure you can uninstall the Add-In and delete all its files with Windows Add/Remove Programs.

ClickOnce applications are very safe.
From the Microsoft documentation:
Because ClickOnce applications are isolated, installing or running a ClickOnce application cannot break existing applications. ClickOnce applications are self-contained; each ClickOnce application is installed to and run from a secure per-user, per-application cache. ClickOnce applications run in the Internet or Intranet security zones.

Only Works With Outlook on Windows

Today the Add-In only works with Outlook on a PC. Microsoft does not yet have all the functionality we need to implement the Add-In in their broader O365 add-in framework that works with Outlook (PC, MAC, smart phone), Exchange, and O365 on-line.

Is It Really HIPAA/GDPR Compliance

Yes. For completeness sake, you should verify that the email host or email security device from which you send email uses TLS when it sends. Both the sender and the receiver have to agree to use TLS. Every modern email system we see does this out of the box. You can use our //email/test From: to make sure yours does.

And since this site focuses on testing, we also suggest you test how you send email regularly, because no matter how sophisticated your email security device(s) are, if they fail they can silently fall back to plain text email and you may never notice.

Speed vs Security

The Add-In uses the CheckTLS QUICK option to test just the first MX host, which is the same one your mailer will use. The QUICK option only takes a few seconds, as opposed to the full CheckTLS Test Receiver that looks at all the MX hosts and scores everything (you can use the full test, but it does slow down the process noticeably). If super security is more important than slower email, the configuration file you host can specify the FULL CheckTLS test.

License Agreement

The License Agreement can be found here.


Pricing is based on the number of PCs running Outlook. Prices start at $429/year for 5 PCs but quickly range to $10/year and go as low as $1/year. A $250/yr Corporate Subscription is required.

ANNUAL COST IN USD ($) monthly
per user
5 $35.78 $250 $429 $7.15
10 $28.14 $250 $531 $4.43
25 $20.48 $250 $762 $2.54
50 $16.11 $250 $1,055 $1.76
100 $12.67 included $1,267 $1.06
250 $9.22 included $2,305 $0.77
500 $7.25 included $3,626 $0.60
1000 $5.70 included $5,704 $0.48
10000 $2.57 included $25,679 $0.21
(enter qty)

We do have a reseller and VAR pricing. Contact Us for details.

Can I See It In Action

Yes, there is an early video of the Add-In running here.