How to check if Outlook is using TLS encryption

Avoid HIPAA violations for HIPAA compliant email

Email is a popular target for hackers because every email account is a potentially vulnerable endpoint that can be compromised. Attacks like ransomware are increasingly common. Email can be intercepted, creating a potential HIPAA violation for covered entities.

Email can be protected via encryption, most commonly using an industry standard called Transport Layer Security (TLS).

We’ve covered different ways to check your email setup for TLS support, including checking for TLS encryption in Google’s email services.  But out about Outlook?

Does Outlook support TLS and is my HIPAA email encrypted?

The Microsoft Office Suite, and its online counterpart Microsoft 365, is the most popular collection of software tools for businesses (though Google’s offering is proving to be a fierce competitor in the cloud space).

Microsoft’s email application, Outlook, does support TLS, and in March, Microsoft began requiring TLS version 1.2, and dropping support of TLS 1.0 and 1.1. (Paubox supports both TLS 1.2 and 1.3, per NSA guidelines).

However, even though this means that email sent and received via Outlook can be encrypted, it doesn’t mean email is encrypted. If a recipient is using an email service provider that does not support TLS, the encryption is removed and the message is delivered in plain text—making it easy for malicious parties to intercept it.

How do you check for TLS encryption in Outlook and how to keep HIPAA email secure?

As with Google’s Gmail service, you can see if an Outlook message was encrypted by reviewing the email header. Microsoft’s design is not quite as simple as Google’s, and is different depending on which version you’re using: either the locally installed Outlook application or the web-based Microsoft 365 interface.

In Outlook, you need to open the message in a new window.  Double-click the message in the inbox list, then open the “File” menu and select “Properties.”

In Microsoft 365, you click the three dots at the top right of the message window:

In both cases, you will be presented with the raw email message header. It includes a lot of information and can be daunting. To make it easier to review, you can copy it into a new Notepad or text file, where you can use a “Find” tool to search through it.

You should see “TLS” or a TLS version identifier in the header. It may say “TLS1.2” or “TLS1.3.” If you see this, TLS was used to secure this message.

Obviously, this process could be simpler.

Other ways to check for TLS support

The CheckTLS website is a popular, free tool you can use to check your company’s support for TLS. Run by SecureMail, LLC, the site also pitches various security services like EmailSentry, an Outlook plugin that makes email security information more accessible.

If you’re a system administrator, you can also use mail flow controls to require the use of TLS encryption when exchanging email with other specific organizations. This is not a simple process, however, and an incorrect configuration could cause email delivery issues.

Is my email HIPAA compliant and encrypted by TLS?

Email encryption is important but technically complex. TLS only works when both the sender are receiver are using email systems configured to use it. If not, encryption is typically dropped, making your messages vulnerable to hackers.

Fortunately, Paubox has patented a method to maintain privacy and security even if the receiver is not using TLS: the message is not delivered in plain text, and instead it is made available via a secure HTTPS link.

When you use Paubox Email Suite for HIPAA compliant email, you have a seamless, multi-layered solution for secure email, using the latest industry security standards.