I just want to know what TLS version is used!

There are several reasons why this is difficult. Some of them are described in this FAQ: Why do you "score" TLS instead of giving a Yes or No answer? Just as there is no fool-proof Yes or No answer to "Does this address do TLS?", there often is not a definitive answer to "What versions of TLS does this address use?"

But difficult or not, people still want an answer to the version question. So we make it easy to get the (potentially wrong) answer. And unique to CheckTLS, we let you add intelligence and tune the question to make it as "less wrong" as you want.

Note that these instructions require a Corporate Subscription to CheckTLS ($25 to try for 30 days) and a few minutes of your time. It is easy, and we offer free, unlimited support so we are sure you will be satisfied.

We offer a simple Excel front-end to Batch testing and a more thorough XML method with advanced capabilities.

TLS Version using Excel

These are step by step instructions to quickly and easily report the TLS Versions of a list of email addresses using //email/excelBatch ("BatchExcel").

Create a Batch

All email addresses to the same Domain (the part after the "@" in an email address) have the same security so you only need to list each Domain once. CheckTLS calls a list of email addresses a "Batch" and each unique Domain a "Target".

Batches are controlled by a Batch Input XML file, which can be complicated, so CheckTLS offers an Excel workbook to make the input easier. We encourage you to use the workbook as is for your first time through, then make changes and run it as often as you want. Common sources for your own Targets are your address book, a send log on an email server, an export from your CRM system, etc.

Create the Excel Workbook

Download this Excel workbook.

Enter your Targets (email address domains) one per row on the Targets tab of the Excel workbook. Our example uses:

Choose The Settings You Want To Extract

Fill in the Settings tab of the Excel workbook:

BatchIDuse "new" to create a batch, then put the batch number here when you want to update it
Descriptiontype a description to remind you what the batch is
RunNowuse "Y" to run the batch right away, "N" to just save it for later
BatchTest-Attributeleave this as "TestType="receiverquick""
Delivery-Toput your email address here (where you want the results sent)
Delivery-Formatleave this as "csv" (another option is "xml-detail")
Target-Attributeleave this as "SMTPTimeOut="30""

Here are the Settings from the example Excel workbook:

DescriptionMy First Extract Batch
Upload the Excel Workbook

Browse to //email/excelBatch. Use the Excel File: choice to navagate to your saved Excel workbook. You can turn on Show XML if you want to see the underlying XML that your workbook creates. It is not necessary and can be confusing.

When you click the Update/Run button, your workbook is uploaded to our servers. It is checked for errors, and if all the Settings are good it creates (or updates) the Batch and optionally runs it:

Input Fields
BatchExcel parameter entry Excel File: BatchExtractFirst.xlsx
Show XML:  

Test Results
Batch #1 Created | Batch #1 Queued (Estimated finish: 04-08 07:54)

Your results will be emailed to you in a few minutes. The entire Batch should take about 4 seconds per Target.

You can use the and/or buttons in //email/testBatch to monitor your Batch and see your results.

See the Results

If you put "csv" in the Delivery-Format row on the Settings tab, your results will look like:

"eMailAddress","ConfidenceQFactor","SSLVersion" "CheckTLS.com","121","TLSv1_3" "RefuseTLS.CheckTLS.com","0", "NoDNS.CheckTLS.com","50", "TLSv1.CheckTLS.com","71","TLSv1"

If you put "xml-detail" in the Delivery-Format row on the Settings tab, your results will look like:

<CheckTLS> <Results test="BatchTest_receiver" version="V03.19.02" format="xml-detail" id="1" description="My First Extract Batch"> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>CheckTLS.com</eMailAddress> <ConfidenceQFactor>121</ConfidenceQFactor> <SSLVersion>TLSv1_3</SSLVersion> </Result> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>RefuseTLS.CheckTLS.com</eMailAddress> <ConfidenceQFactor>0</ConfidenceQFactor> </Result> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>NoDNS.CheckTLS.com</eMailAddress> <ConfidenceQFactor>50</ConfidenceQFactor> </Result> <Result origin="www11-do.CheckTLS.com"> <eMailAddress>TLSv1.CheckTLS.com</eMailAddress> <ConfidenceQFactor>71</ConfidenceQFactor> <SSLVersion>TLSv1</SSLVersion> </Result> </Results> </CheckTLS>

TLS version using //email/testBatch ("BatchEdit")

If you run this Batch: <BatchTest TestType="receiverquick"> <Target>CheckTLS.com</Target> <Target>RefuseTLS.CheckTLS.com</Target> <Target>NoDNS.CheckTLS.com</Target> <Target>TLSv1.CheckTLS.com</Target> <Delivery> <To>file</To> <Format>xml-detail</Format> <BatchXSL>https://www.CheckTLS.com/XSL/BT-XSL-xml-3fields.xsl</BatchXSL> </Delivery> </BatchTest>

You will get this result: <Results test="BatchTest_receiverquick" version="V03.21.05" format="xml-detail" id="78" description="Sample XSLT 3 fields into xml"> <Result> <Target>CheckTLS.com</Target> <Score>114</Score> <Version>TLSv1_3</Version> </Result> <Result> <Target>RefuseTLS.CheckTLS.com</Target> <Score/> <Version/> </Result> <Result> <Target>NoDNS.CheckTLS.com</Target> <Score>50</Score> <Version/> </Result> <Result> <Target>TLSv1.CheckTLS.com</Target> <Score>71</Score> <Version>TLSv1</Version> </Result> </Results>

If you change "-xml-" in the <BatchXSL> text to "-csv-" you will get this result: Sample XSLT 3 fields into csv Target,Score,Version CheckTLS.com,114,TLSv1_3 RefuseTLS.CheckTLS.com,, NoDNS.CheckTLS.com,50, TLSv1.CheckTLS.com,71,TLSv1

A bit of explanation: the <BatchXSL> line in the Batch tells it to "transform" (XSLT) the XML_Detail output from //email/testTo: ("TestReceiver") into the much shorter output shown. All the XSL does is selects out the test description, adds a header ("Target,Score,Version") and selects the three fields from each Result in the Batch. The XSL is very simple: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="text"/> <xsl:template match="text()"/> <xsl:template match="Results"> <Description><xsl:value-of select="@description"/></Description> <xsl:text> </xsl:text> <xsl:text>Target,Score,Version </xsl:text> <xsl:for-each select="Result"> <Target><xsl:value-of select="eMailAddress"/></Target><xsl:text>,</xsl:text> <Score><xsl:value-of select="ConfidenceFactor|ConfidenceQFactor"/></Score><xsl:text>,</xsl:text> <Version><xsl:value-of select="MX[1]/SSL/SSLVersion"/></Version> <xsl:text> </xsl:text> </xsl:for-each> </xsl:template> </xsl:stylesheet>

If you decide to use this XSL, you should copy it onto a webserver that you control. We may make changes to it in the future and we don't want to break someone's production systems.

Add Intelligence and Tune the Question

Back to why this is difficult. The tests above only do a Quick test, so they are just testing the first MX. You can change it to test multiple MXs, but then you have to decide which ones to test, and how to weigh the different MX preferences and number of hosts in each MX group, and the strength of the cipher(s) used, and the validity of the certificate(s) used, and so on.

You can add other fields besides the above eMailAddress, ConfidenceQFactor, and SSLVersion. Use the interactive //email/testTo: ("TestReceiver") to see what other fields are available. These can be added to the Excel workbook. While the Excel front-end to Batch testing is not designed to pull out information from multiple MX hosts, the full XML Batch option can extract any and all information about an email system, so you can decide for yourself what the answer to "What version of TLS is this site using?"

We do have clients who, after understanding the question better, come back to using the CheckTLS (Confidence Factor) to decide the "TLS version". For only allowing TLS1.2 and above we suggest a Confidence Factor 88 and above. While it’s not cast in stone (again see the other FAQ), the Confidence Factor falls into:

TLS VersionStarting Score
no TLS (or even SSL)0
unable to test50 (exactly)

These can go down a little bit if the cipher is weak or the name does not match. 88 is as low as TLSv1_2 can go, which is why we use it as the breakpoint for TLSv1_2.

These can go up based on things like cipher strength, MTASTS, DANE. It’s hard to move up a whole level, almost impossible for TLSv1_1 to make it to TLSv1_2 (score 92) and impossible for TLSv1_2 to make it to TLSv1_3 (score 108).

We will always keep 50 as the untestable number and below 50 as no encryption. We will also try to keep 90 as the breakpoint for what we consider Yes/No. For example, if a site uses TLSv1_2 but has a bad cipher and the name does not match, is it still “good”? That shows the site either doesn’t know what they are doing or doesn’t care much about real security, and we think we need to show that.