by Rick Kuwahara CMO of Paubox
Article filed in

How to Check for TLS to Secure Your Email

by Rick Kuwahara CMO of Paubox

check tls secure email

If the path your email message takes from your inbox to your recipient could be made into a movie, it would be more Hacksaw Ridge than La La Land.

Hackers are hard at work trying to read and intercept your email in order to profit, which is why encrypting your messages makes so much sense.

Thankfully many email providers are now supporting Transport Layer Security (TLS) encryption, but how do you know if your provider supports it? Here’s how to check for TLS in your messages.

Why do we even need TLS?

Credit: www.elie.net/blog

Before we get into checking for TLS encryption, it’s good to take a step back and see how we even got here.

The standard way email gets moved around is by Simple Mail Transfer Protocol (SMTP), which has been around since 1982. At it’s simplest the sender writes an email on their laptop, it gets sent to their email provider’s server then traverses the internet to the recipient’s email server and the recipient can read it on their device.

As with any technology that becomes popular, there are people who are going to try and take advantage of it.

So it wasn’t too long before new pieces were added to try and secure message transmission, including encryption.

“The security of any system, particularly email security, cannot be assured or trusted if the communications protocol uses plaintext,” said Jeremiah Grossman, Chief of Security Strategy for SentinelOne. “The bottom line is that for email to be secure, it MUST use TLS.”

How does TLS work?

TLS or STARTTLS, is an encryption protocol that protects messages in transit from one server to another.

This means that the Eavesdropper pictured earlier wouldn’t be able to read a message because it’s sealed with encryption. You can think of it as putting a valuable document in a safe. You wouldn’t be able to read it, unless you had the right code or keys to open the safe.

Because TLS is a protocol, that means the two mail servers need to both be able to follow along in order for the encryption process to work. The server and the client negotiate what encryption keys to use before anything is transmitted. The negotiation itself is secure as well.

How to check if a message was encrypted with TLS

Every email that’s sent includes a record of how it was transmitted, but most people never see it because most of the email header is hidden by email providers and clients.

For example, in Gmail, you’d only see the TO, FROM, DATE and SUBJECT, then the body of the email that contains the actual message.

But you can easily reveal the headers of an email by doing a quick Google search for “How to find email header for {EMAIL PROVIDER NAME}”.

When you reveal the headers, you find a bunch of gibberish like this:

This is an email sent with Paubox to a Gmail. You can see the journey the email took if you read from the bottom to the top, with each relay getting time stamped.

Although it’s tough to read, the important parts are in the green boxes, where you see that TLS was used with a 256-bit AES cipher.

A simpler way to see if an email address supports TLS is to use our free Secure Email Checker. This online tool will help you check TLS in just seconds.

When TLS doesn’t work

The problem with email that SMTP still prioritizes the delivery of a message over the security of it.

This means that even if an email is sent via TLS, if the recipient’s email doesn’t accept TLS, the message will be decrypted and delivered in clear text and can be snooped on.

There are even attacks created by hackers to force messages to downgrade from TLS in order to snoop on the final message that gets delivered in clear text.

If a message contains any sort of sensitive information, then it’s best to secure the message with an email encryption provider like Paubox.

This is especially true for organizations in regulated industries, like healthcare and banking.

A TLS downgrade attack wouldn’t work on an email sent with Paubox, as a link to view the message on a secure server would be delivered instead of the message in clear text.

Wrapping it up

More and more email providers are moving towards TLS but there are still legacy emails that don’t support it. It’s estimated that as much as 20% of emails do not support TLS encryption.

So if you’re sending any sensitive information, it’s doubly important that you make sure that the email providers used both support TLS to lower the risk of your email getting hijacked.