Internet Email Security

All security rules, requirements, and regulations come down to one thing:
keep confidential information away from everyone not allowed to have it.

For email going over the Internet, the most common protection is encryption. Encryption takes the original text of an email and turns it into gibberish. The gibberish contains the original content, but it is un-readable except by someone with the “key” that turns the gibberish back into the original text.

All the rules, requirements, and regulations regarding email going over the Internet say that TLS (Transport Layer Security) is an acceptable encryption method.

If your email has TLS encryption when it goes over the Internet, you are “secure”.

All modern email systems can do TLS. These email systems by default try to use TLS automatically when sending email. But these email systems typically require some setup before they will use TLS to receive email.

Both sides, the sender and the receiver, have to agree to use TLS. If either side does not, most email systems will simply send the email in plain text. And plain text meets no security requirement.

The Responsible Party

The basic rule that “confidential information must be protected” makes the email sender responsible for ensuring the email is encrypted. The receiver has no control over what a sender sends, just like you have no control over someone leaving an important document on top of your desk.

Mandatory vs Opportunistic TLS

Email systems have two choices for TLS: Mandatory and Opportunistic.

When set to Mandatory, an email system will not send or receive an email unless it is TLS encrypted. While this sounds like the “right answer”, it requires both sender and receiver to have working TLS. Because many email systems to not have TLS yet, in practice this means you cannot email with a large number of people.

Opportunistic TLS, on the other hand, says “use TLS if the other side will too”. As long as both sides have working TLS, all email will be secure. This is what the majority of the Internet uses today.

Some companies, especially the larger ones, will use a combination of Mandatory and Opportunistic. They maintain a list of domains with which they force Mandatory TLS, but they email with everyone else using Opportunistic TLS.

The Risks and How to Mitigate Them

For you, as an email sender, to meet your security requirements you have to ensure that TLS is used for all email with protected information in it.

One option is to use Mandatory TLS. That means maintaining a list of trading partners with whom you turn on Mandatory TLS.

A more common, and much easier, option is to make sure Opportunistic TLS always uses TLS and is not falling back to plain text. Email security compliance doesn't care if you call encryption Mandatory or Opportunistic, it only cares that email is encrypted.

Meeting Compliance Requirements with Opportunistic TLS

If you know that your email sender is properly configured for TLS, and you know that the recipient is also properly configured for TLS, then you know that Opportunistic TLS will encrypt your email. So you know you are compliant.

How do you know that sender and receiver are properly configured? You test them!

Even if you use Mandatory TLS, you need to test that it is properly configured. Email systems are notorious for silently falling back to plain text if anything goes wrong. It is very difficult to tell if an email was encrypted or was sent in plain text.

Testing is Key

CheckTLS, and may other sites on the Internet, allows you to test an email receiver for TLS. The CheckTLS //email/testTo: ("TestReceiver") is more comprehensive and has more features than any other test.

CheckTLS, like very few (if any) sites on the Internet, allows you to test an email sender for TLS. The CheckTLS //email/testFrom: ("TestSender") is more comprehensive and has more features than any other test.

Remember it is the sender who is responsible for email encryption on the Internet.

Finally, unlike any other site on the Internet, CheckTLS allows you to test for Mandatory TLS. The CheckTLS //email/testMandatoryTo: ("TestReceiverAssureTLS") makes sure that you will not fall-back and receive an email in plain text.

The CheckTLS //email/testMandatoryFrom: ("TestSenderAssureTLS") makes sure that you will not fall-back and send an email in plain text. For anyone using Mandatory TLS, this is the only test we know of that can verify your email security compliance.