There are three customization and tuning options for EmailSentry™:
We provide simple installation instructions with every EmailSentry™ license that your users can use to get started.
Like the MoreInfo page below, most companies will want to host their own installation instructions, using our simple instructions as a starting point.
The "MoreInfo" page is the link on EmailSentry popup window called "More Info".
The MoreInfo Page is your page. It should look like your other web pages, with your corporate look-and-feel. It should have content specific to your company and your use of EmailSentry.
We provide a skeletal MoreInfo Page at the MoreInfo link we provided when we setup your subscription.
MoreInfo is where companies instruct their users how to use EmailSentry, and more importantly, what to do if EmailSentry stops an insecure address. This ranges from telling your users
"If you are certain that there is no 'protected information' in the email you may use the 'Send Anyway' menu choice to send the message"
"When you click the 'Send Anyway' button the email will be held in our secure email portal and your recipient will have to login to our website to view their message. Please phone them and let them know if this is the first time you have emailed them."
"When EmailSentry stops and lists one or more domains that are insecure, you may not send any email to this address and you must find another way to send the information."
Your MoreInfo page should:
It can include content from any of these links, or the links themselves:
For smaller IT departments without the ability to make their own webpages, CheckTLS can make text changes to the skeletal MoreInfo page that we provide, and even do some simple customizations with a logo or something.
No matter where your MoreInfo Page is hosted, it will likely include your EmailSentry password, so it should be protected on a private area of your website or on your private intranet. If someone steals your password and starts using some of your licenses, we can reset it, but this will then require all your users to reconfigure EmailSentry (click the configure link on your MoreInfo Page and then click Send in Outlook). So, while having your password stolen will not cost you any money, it will cost you time and effort to reconfigure everyone’s PC. Take some care to protect your password and the webpages that include it in plain text.
When we host your MoreInfo Page, it is a private link that no one knows but you, so it is protected as long as you and your employees do not share it.
We can protect your license by limiting access to a range of IP addresses. If all your users are inside your corporate network, this is an almost foolproof protection for your license. But if any of your users do email from outside your environment, for example from a laptop they take home and to cafes, then this will not help. See AUTH below for more information.
The Config File controls two things: the EmailSentry Add-in itself, and the("TestReceiver") webservice that EmailSentry uses.
The Config File controls several EmailSentry settings:
The Config File allows you to enter translations for all the EmailSentry prompts and controls:
The Config File also controls the("TestReceiver") test that is the foundation of EmailSentry. All of the options, and thus all the capabilities, of the test can be specified in a Config File.
As some of the settings for EmailSentry (above) have the same names as settings for, the Config File marks settings for by prefixing them with "a_". Case is important, it must be a lowercase "a".
The Config File has two parts: a Fixed Config File and an optional Live Config File. They are read every time Outlook starts. Both have the same XML format.
The Fixed Config File is stored on the user's PC and is loaded into Outlook every time Outlook starts. Because it is on the local PC, it is always available (even when the Internet is down) and loads almost instantly.
When a user configures EmailSentry (by clicking on the configure link and then clicking Send in Outlook), EmailSentry fetches a new Fixed Config File from our servers.
Most EmailSentry customers do not change their user’s Fixed Config Files very often, since it requires that each user does something (click a link and then click Send). If we are hosting your Fixed Config File, you can send us changes and we will install them within two business days (usually within a few hours).
For more control, you can store the Fixed Config File as a URL on your own servers. Send us the URL and we will have our servers redirect all configure requests from your users to that link. Be sure the URL is accessible from inside and outside your firewalls if users might have to configure EmailSentry from outside.
The Live Config File is stored on the Internet, your intranet, or some other network connection. Typically a URL, it is fetched every time Outlook starts. Settings in the Live Config File override settings in the Fixed Config File.
The Live Config File lets you tune EmailSentry without making your users click the (re)configure link: users just have to close and re-open Outlook to get Live Config File changes.
Because the Fixed Config File is local to the user's PC, it is always available and always works. We designed EmailSentry so that important and infrequently changed settings go in the Fixed Config File. That way EmailSentry works even if the Live Config File cannot be fetched.
The Live Config File is more flexible, albeit with some risk. Obviously, if the Live Config File cannot be fetched, its settings are ignored. Also there is the chance that if fetching the Live Config File takes too long, Microsoft will deem EmailSentry unresponsive and disable it. With EmailSentry Version 1.22 and above, this chance is greatly reduced. We provide instructions for how to re-enable a disabled Add-in at https://www.checktls.com/EmailSentry/troubleshooting.html.
For any Config Files you host, your server must return a valid XML file with content-type=text/xml. We can send you a copy of your file from our server as your starting point.
This is the only required parameter in a Config File. Your AUTH code is unique to your license and it is how we control access to EmailSentry.
AUTH is a public/private key encrypted combination of your CustomerCode, CustomerPass, and one or more IP address masks. See Shared Customer Information for info about CustomerCode and CustomerPass.
Your CustomerCode and CustomerPass are your Corporate Subscription permissions to the CheckTLS website. All EmailSentry licenses include a full Corporate Subscription to CheckTLS.
The IP address masks are used to limit use of EmailSentry and your Corporate Subscription to those specific IP addresses. For very security conscious organizations that only allow access to corporate assets from within their own controlled environment (i.e. network), this can be used to protect your EmailSentry license, and your access to any information, such as stored tests, as part of your Corporate Subscription.
It does preclude, obviously, any use of EmailSentry and the CheckTLS website, from anywhere but your network.
Every time EmailSentry checks a domain from an Outlook email it sends the email address, your Config File choices, and your AUTH code to our servers. We decode the AUTH with our private key and check that your CustomerCode and CustomerPass are still valid, and that the user's PC has a public IP address in one of the decoded IP address masks. If so, the test is run and results returned to EmailSentry. If not, we return an error to EmailSentry, which the popup then displays.
EmailSentry finds everything it needs to know about the security of a recipient from just the recipient's domain (the stuff after the "@"). When processing multiple (To:, CC:, and BCC:) recipients, EmailSentry first finds all the unique domains. When an email has more than one unique domain, EmailSentry has three ways (modes) to test each domain: linear, multi, and parallel.
Linear mode tests the domains one at a time. As each test finishes, the domain is listed in the textbox and the progress bar fills in across the window. This gives the user positive feedback that EmailSentry is working, and reminds them that Email Security is important.
Multi mode sends all the domains to CheckTLS at once. CheckTLS servers can process many domains at the same time, so this is faster when doing more than about two domains. The progress bar shows an estimate of how far along the test process is, but this can only be an estimate since the testing is being done remotely. The results typically show up all at once in the textbox.
Parallel mode runs multiple copies of EmailSentry on the user's PC. EmailSentry is very efficient, and a typical PC or laptop can process hundreds of domains in parallel. With Parallel mode, the textbox and the progress bar more accurately show how far along the testing is.
These three modes are controlled by two configuration parameters: CHECKMULTI and CHECKPARALLEL. Both have three numbers: min, batch, and max. "min" is the lowest target (unique domain) count that will use that mode, "batch" is how many targets to test at once, "max" is the most targets that the mode can handle. A target count outside the min/max for either mode will be tested linearly. Linear testing is the fastest for just a couple targets, and the safest, albeit unworkable, for impossibly large target counts. Anyone sending to hundreds of targets should be verifying them with CheckTLS "Batch", not in EmailSentry.
By default, EmailSentry is set to process up to 3 domains linearly.
More than that are processed in multi mode, sending them all to CheckTLS to process at once.
So the default settings are:
EmailSentry can flag a message that does not meet your security requirements so your mail system can do special processing with them. This special processing could be End-to-end Encryption, outsourced email like CounterMail or ProtonMail, or your own webmail.
<ENCRYPTOPTION>sensitivity:Confidential</ENCRYPTOPTION> tells EmailSentry to change the message's Sensitivity to Confidential. Confidential can be one of Normal, Personal, Private, or Confidential.Note that this is a "message level" option, so when it is invoked it pertains to all recipients.
<ENCRYPTOPTION>subject:/reOLD/reNEW/</ENCRYPTOPTION> tells EmailSentry to change the message's Subject:. Any string in the message Subject matching reOLD will be replaced with reNEW. Since these "re"s are Regular Expressions, you can insert a string at the beginning with "subject:/^/[newstring]/", or at the end with "subject:/$/[newstring]/".
<ENCRYPTOPTION>subject:/^/ENCRYPT THIS ONE /</ENCRYPTOPTION>
will add "ENCRYPT THIS ONE " as the first characters of the message's Subject:
<ENCRYPTOPTION>recipient:/reOLD/reNEW/</ENCRYPTOPTION> tells EmailSentry to change just insecure recipient addresses. Note that since this option only changes the insecure recipients, Recipient Flag can send the email two different ways: the normal way to secure recipients, and with special processing as mentioned above for insecure ones.
will change all insecure addresses from "firstname.lastname@example.org" to "email@example.com".
We can provide sendmail rules that intercept an @forcetls.com address, rewrite it back to what it was, and direct the email to an alternate emailer, for example to send the email to an outside service that encrypts it or that allows the user to access it safely from a website.
Here is a sample Config File:
<?xml version="1.0" encoding="utf-8" ?>
<RECONFIGUREURL>https://www.checktls.com/GetCsOAConfig?</RECONFIGUREURL> <!-- loaded on config email to code@CsOA.CheckTLS.com (replaces this file entirely so need AUTH node in it) -->
<CONFIGURL>https://www.checktls.com/CsOA/YourCode/LiveConfigFile.xml</CONFIGURL> <!-- loaded every Add-In startup, is additive to RECONFIGUREURL settings -->
<TIMEOUT>30</TIMEOUT> <!-- CsOA HttpWebRequest -->
<a_TIMEOUT>11</a_TIMEOUT> <!-- TestReceiver TO -->
<MOREINFOURL>https://www.checktls.com/CsOA/YourCode/MoreInfo.html</MOREINFOURL> <!-- link displayed on popup -->
<POPUPURL>https://www.checktls.com/CsOA/YourCode/PopUp.txt</POPUPURL> <!-- messagebox that displays after any config file load -->
<T_Change>&Change This Email</T_Change>
<T_Delete>&Delete This Email</T_Delete>
<T_Send>&Send This Email Anyway</T_Send>
<T_CheckingRecipient>Checking Recipient Security</T_CheckingRecipient>
<T_TheseDomainsFailed>These domains failed CheckTLS:</T_TheseDomainsFailed>
<T_NewConfigFileSaved>New config file saved!
Please close and re-open Outlook.</T_NewConfigFileSaved>
There are a few hidden commands that we use to diagnose problems. They are triggered by entering special strings in the Subject: of an email and clicking Send. The email can be a live email that will be sent, or a dummy email, i.e. with an invalid address.
debug.debug.debug turns on debugging messages. EmailSentry™ will display information about what it is doing in popups as it processes the email. The email is sent. This setting stays on until you exit Outlook and restart it.
fullerrors.fullerrors.fullerrors displays all the information it has about an error it encounters. Normally error messages are summarized. The email is sent. This setting stays on until you exit Outlook and restart it.
path.path.path shows a one-time popup with the path to the Config File on the user's PC. The email is not sent.
version.version.version shows a one-time popup with the version string of EmailSentry™ installed on the user's PC. The email is not sent.
config.config.config puts the Config File contents and all internal config variables into the body of the email. You are returned to editing the email.
uid.uid.uid puts the user's unique UID (one-way hash of their USERNAME and COMPUTERNAME) into the subject of the email. You are returned to editing the email.
test.test.test runs the message in "test" mode: normal testing is done but the final pop-up is displayed even if no errors are found, and the user must choose Change, Delete, or Send anyway.