Notice Changes in Emails

These are step by step instructions to quickly and easily notice a security change in sites you email.

It is very important that you check for TLS on every email addresses that you send to.

The rule that "confidential information must be protected" makes you, the sender, responsible for the security of every email you send. And your emailer will send in "plain text" if a recipient doesn't do TLS. Don't believe us? Prove it here: //email/testMandatoryFrom:.

Our interactive //email/testTo: shows TLS Version and lots of other settings for an email address. With theses instructions you can report one or more of these settings for hundreds or thousands of email addresses.

It takes a Corporate Subscription to CheckTLS ($25 to try for 30 days) and a few minutes of your time. It is easy, and we offer free, unlimited support so we are sure you will be satisfied.

Overview

These steps will:

  • test all your addresses
  • select the good ones and save their security level
  • monitor them for changes
  • handle the other (not good) addresses
For your convenience, each step in this how-to is on a colored line below with a checkbox at the front, like this:

  • Subscribe to CheckTLS

Test All Your Addresses

All email addresses to the same Domain (the part after the "@" in an email address) have the same security so you only need to list each Domain once. CheckTLS calls a list of email addresses a "Batch" and each unique Domain a "Target".

Batches are controlled by a Batch Input XML file, which can be complicated. Here we use an Excel workbook to make the input much easier. We encourage you to use our example workbook as is for your first time through, then make changes and run it as often as you want.

  • Gather a list of email addresses ("Targets") that you use.
  • Download this Excel workbook.
  • Enter your Targets on the Targets tab of the workbook.

Common sources for your own Targets are your address book, a send log on an email server, an export from your CRM system, etc. Our example uses:

CheckTLS.com
RefuseTLS.CheckTLS.com
Invalid.CheckTLS.com
TLSv1.CheckTLS.com
  • Fill in the Settings tab of the workbook:
BatchIDuse "new" to create a batch, then put the batch number here when you want to update it
Descriptiondescription to remind you what the batch is
RunNowuse "Y" to run the batch right away, "N" to just save it for later
BatchTest-Attributeleave this as "TestType="receiver""
Delivery-Toput your email address here (where you want the results sent)
Delivery-Formatleave this as "csv"
Delivery-OnlyNodelist the "Node" names you want to extract (see below)
Target-Attributeleave this as "MXPrefLimit="50%""

Use the interactive //email/testTo: ("TestReceiver") to see what "Node" names are available. Use one of the XML Output Formats to note the exact XML "Node" name of each setting you want to extract.

Our example extracts the Target, score, and TLS Version (Nodes "eMailAddress", "ConfidenceQFactor", and "SSLVersion" respectively).

Here are the Settings from the example Excel workbook:

BatchIDnew
DescriptionBaseLine First Testing
RunNowY
BatchTest-AttributeTestType="receiver"
Delivery-Toyou@yourdomain.com
Delivery-Formatcsv
Delivery-OnlyNodeeMailAddress
Delivery-OnlyNodeConfidenceFactor
Delivery-OnlyNodeSSLVersion
Target-AttributeTimeOut="30"
  • Save the workbook where you can find it later.
  • Send the workbook to CheckTLS.

Browse to //email/excelSavedTest. Use the Excel File: choice to navagate to your saved Excel workbook. You can turn on Show XML if you want to see the underlying XML that your workbook creates. It is not necessary and can be confusing.

When you click the Update/Run button, your workbook is uploaded to our servers. It is checked for errors, and if all the Settings are good it creates (or updates) the Batch and optionally runs it:

Instructions/Info
Input Fields
BatchExcel parameter entry Excel File: BatchBaseLineFirst.xlsx
Show XML:  

Test Results
Batch #1 Created | Batch #1 Queued (Estimated finish: 04-08 07:54)

Your results will be emailed to you in a few minutes. The entire Batch should take about 4 seconds per Target.

You can use the and/or buttons in //email/editSavedTests to monitor your Batch and see your results.

When the Batch finishes your results will look like:

"eMailAddress","ConfidenceFactor","SSLVersion" "CheckTLS.com","121","TLSv1_3" "RefuseTLS.CheckTLS.com","0", "NoDNS.CheckTLS.com","50", "TLSv1.CheckTLS.com","71","TLSv1"

Select Your Good Addresses and Save Their Security Level

With CheckTLS, you decide what "Good", or "secure enough" means. See There is no Yes or No for more information. We suggest a ConfidenceFactor of 90 or above is "secure enough".

These next steps work with the "Good" addresses that meet your security requirements. Later steps describe what to do with "Bad" addresses.

  • Open the Results CSV File in Excel (from email in above test).
  • Sort the Results by ConfidenceFactor (Data, Sort, My data has headers, sort by ConfidenceFactor).
  • Download this Excel workbook.
  • Copy/Paste the "Good" Targets from the Results CSV to the Targets tab of this new workbook.

Our example only has one good Target:

CheckTLS.com
  • Fill in the Settings tab of the new workbook:
BatchIDuse "new" to create a batch, then put the batch number here when you want to update it
Descriptiondescription to remind you what the batch is
RunNowuse "Y" to run the batch right away, "N" to just save it for later
BatchTest-Attributethis must be "TestType="setbaseline""
Delivery-Toput your email address here (where you want the results sent)
Delivery-Formatleave this as "csv"
leave row 7 alone for now (column A is blank)

Here are the Settings from the example Excel workbook:

BatchIDnew
DescriptionBaseLine Good Testing
RunNowY
BatchTest-AttributeTestType="setbaseline"
Delivery-Toyou@yourdomain.com
Delivery-Formatcsv
Function="count" Test="le" Value="1"Delivery-Suppress-Attribute
  • Save the workbook where you can find it later.
  • Send the workbook to CheckTLS.

Browse to //email/excelSavedTest. Use the Excel File: choice to navagate to your saved Excel workbook. You can turn on Show XML if you want to see the underlying XML that your workbook creates. It is not necessary and can be confusing.

When you click the Update/Run button, your workbook is uploaded to our servers. It is checked for errors, and if all the Settings are good it creates (or updates) the Batch and optionally runs it:

Instructions/Info
Input Fields
BatchExcel parameter entry Excel File: BatchBaseLineGood.xlsx
Show XML:  

Test Results
Batch #2 Created | Batch #2 Queued (Estimated finish: 04-08 07:54)

Your results will be emailed to you in a few minutes. The entire Batch should take about 4 seconds per Target.

You can use the and/or buttons in //email/editSavedTests to monitor your Batch and see your results.

When the Batch finishes your results will look like:

"Target","SetScore" "CheckTLS.com","121"

As the result says, running this batch has "set the baseline" score for each of your Good Targets.

Monitor Your Good Addresses for Changes

All the steps above were to get to this point. Here we instruct CheckTLS to notify you when one of your Good Targets fails.

Note you could use BatchEdit to make the below changes directly on CheckTLS, rather than using the Excel workbook.

  • Open the saved workbook with your Good Targets.
  • Change the Settings tab from saving the BaseLine to checking the BaseLine:
BatchIDyou MUST uses the same BatchID as the setbaseline batch
Descriptiondescription to remind you what the batch is
RunNowuse "Y" to run the batch right away, "N" to just save it for later
BatchTest-Attributethis must be "TestType="baseline"" (not "setbaseline")
Delivery-Toput your email address here (where you want the results sent)
Delivery-Formatleave this as "csv"

Cut cell C7 and Paste it into A7. Row 7 now tells CheckTLS: do not send the results if all the Targets still match their stored BaseLine.

Here are the Settings from the example Excel workbook:

BatchIDnew
DescriptionBaseLine Good Testing
RunNowY
BatchTest-AttributeTestType="baseline"
Delivery-Toyou@yourdomain.com
Delivery-Formatcsv
Delivery-Suppress-AttributeFunction="count" Test="le" Value="1"
  • Save your changes to the workbook.
  • Send the workbook to CheckTLS.

Browse to //email/excelSavedTest. Use the Excel File: choice to navagate to your saved Excel workbook. When you click the Update/Run button, your workbook is uploaded to our servers and run.

Instructions/Info
Input Fields
BatchExcel parameter entry Excel File: BatchBaseLineGood.xlsx
Show XML:  

Test Results
Batch #2 Updated | Batch #2 Queued (Estimated finish: 04-08 07:54)

Notice that this says that Batch #2 was "updated", not created. This is important, as a baseline batch has to be the same BatchID as the setbaseline batch.

When the Batch finishes you should get nothing. A nothing result means the Targets you listed are still secure.

If a Target breaks, i.e. their security level changes, you will get this email:

"Target","BaseLineScore","CurrentScore","Match" "CheckTLS.com","121","75","0"

As that result says, Target "CheckTLS.com" use to score 121 but now only scores 75, which does not Match.

See About BaseLine Testing for more information about the capabilities, features, and settings of BaseLine Testing, like why column A was blank the first time and how it instructs CheckTLS to only sends results if something changed.

The About BaseLine Testing documentation also describes how to set a range of "scores" that are acceptable "matches" for a Target's BaseLine. Some Target scores can vary a few points depending on which MX hosts they have in production on any given day.

  • Schedule the BaseLine testing to run regularly.

Use BatchEdit to schedule this BaseLine comparison test to run weekly or even daily. Have the Result sent to your network operations center (NOC) or the head of your security practice, as any email sent by this test means you are now sending plain text emails to the listed Target(s). Clearly not desirable and maybe illegal.

Handle the Not Good Addresses

We suggest dividing your Targets into three groups:

Good
Targets that are secure and that you can use.
Bad
Targets that are NOT secure and that you should not use.
Untestable
Targets that cannot be tested.

Use three workbooks to tell CheckTLS to treat the three different groups of Targets differently. They will have three different "tell me if something changed" criteria:

Good
If an address that you rely on breaks (test frequently)
Bad
If you can start relying on what was a Bad address (test less frequently)
Untestable
If an address you could not test becomes Good or Bad (test infrequently)

The above steps created the Good workbook. To create a "Bad" workbook:

  • Open the Results CSV from the All Targets batch (the first one above).
  • Download this Excel workbook.
  • Copy/Paste the no security Targets (score 0 to 49) from Results CSV to Targets tab.
  • Copy/Paste the wesk security Targets (score 51 to 89) from Results CSV to Targets tab.
  • Adjust the Settings tab as you did for the Good setbaseline instructions above.
  • Save the workbook.
  • Send the workbook to CheckTLS and run it (//email/excelSavedTest).
  • Use BatchEdit to change the Batch from setbaseline to [check]baseline, or
  • Change the workbook to check the BaseLine (rather than "set" the BaseLine):
BatchTest-Attributethis must be "TestType="baseline"" (not "setbaseline")

Cut cell C7 and Paste it into A7 (do not send if all Targets still match their BaseLines).

Here are the Settings from the example Excel workbook:

BatchID3
DescriptionBaseLine Bad Testing
RunNowY
BatchTest-AttributeTestType="baseline"
Delivery-Toyou@yourdomain.com
Delivery-Formatcsv
Delivery-Suppress-AttributeFunction="count" Test="le" Value="1"
  • Save your changes to the workbook.
  • Send the workbook to CheckTLS.

Browse to //email/excelSavedTest. Use the Excel File: choice to navagate to your saved Excel workbook. When you click the Update/Run button, your workbook is uploaded to our servers and run.

Instructions/Info
Input Fields
BatchExcel parameter entry Excel File: BatchBaseLineBad.xlsx
Show XML:  

Test Results
Batch #3 Updated | Batch #3 Queued (Estimated finish: 04-08 07:54)

Again, when the Batch finishes you should get nothing. A nothing result means the Targets you listed are still not secure.

If a Target becomes secure, i.e. their security level changes, you will get this email:

"Target","BaseLineScore","CurrentScore","Match" "TLSv1.CheckTLS.com","71","94","0"

As that result says, Target "TLSv1.CheckTLS.com" use to score 71 but now only scores 94, which does not Match. That target just switched from TLS v1 to TLS v1.2.

Use the same steps to create an Untestable batch, selecting the Targets from your original test above that scored exactly 50.