Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

How to check for TLS to secure your email

How to check for TLS to secure your email

If the path your email message takes from your inbox to your recipient could be made into a movie, it would be more Hacksaw Ridge than La La Land. Hackers are hard at work trying to read and intercept your email in order to profit, which is why encrypting your messages makes so much sense.

Thankfully many email providers are now supporting Transport Layer Security (TLS) encryption, but how do you know if your provider supports it? Here's how to check for TLS in your messages.


Why do we even need TLS?

Before we get into checking for TLS encryption, it's good to take a step back and see how we even got here. The standard way email gets moved around is by Simple Mail Transfer Protocol (SMTP), which has been around since 1982. At its simplest the sender writes an email on his or her laptop, it gets sent to his or her email provider's server, and then it traverses the internet to the recipient's email server so the recipient can read it on his or her device. As with any technology that becomes popular, there are people who are going to try and take advantage of it. So it wasn't too long before new pieces were added to try to secure message transmission, including encryption. "The security of any system, particularly email security, cannot be assured or trusted if the communications protocol uses plaintext," explaines Jeremiah Grossman, chief of security strategy for SentinelOne. "The bottom line is that for email to be secure, it MUST use TLS."


How does TLS work?

TLS, or STARTTLS, is an encryption protocol that protects messages in transit from one server to another. This means that an eavesdropper wouldn't be able to read a message because it's sealed with encryption. You can think of it as putting a valuable document in a safe. You wouldn't be able to read it unless you had the right code or key to open the safe. Because TLS is a protocol, that means the two mail servers need to both be able to follow along in order for the encryption process to work. The server and the client negotiate what encryption keys to use before anything is transmitted. The negotiation itself is secure as well.

How to check if a message was encrypted with TLS

Every email that's sent includes a record of how it was transmitted, but most people never see it because the email header is hidden by email providers and clients.

For example, in Gmail, you only see the to email, from email, date and subject, then the body of the email that contains the actual message. But you can easily reveal the headers of an email by doing a quick Google search for "How to find email header for {EMAIL PROVIDER NAME}." When you reveal the headers, you find a bunch of gibberish like this:


How to check for TLS to secure your email


This is an email sent with Paubox to a Gmail account. You can see the journey the email took if you read from the bottom to the top, with each relay getting time stamped. Although it's tough to read, the important parts are in the green boxes, where you see that TLS was used with a 256-bit AES cipher.

🚨A simpler way to see if an email address supports TLS is to use our free Secure Email Checker. This online tool will help you check TLS in just seconds.🚨


When TLS doesn't work

The problem with SMTP email is that it prioritizes the delivery of a message over the security of it. This means that even if an email is sent via TLS, if the recipient's email doesn't accept TLS, the message will be decrypted and delivered in clear text which can be snooped on.

There are even attacks created by hackers to force messages to downgrade from TLS in order to snoop on the final message that gets delivered in cleartext.

If a message contains any sort of sensitive information, then it's best to secure the message with a solution such as Paubox Email Suite.

This is especially true for organizations in regulated industries, like healthcare and banking. A TLS downgrade attack wouldn't work on an email sent with Paubox, as a link to view the message on a secure server would be delivered instead of the message in cleartext.


SEE ALSO: What Happens When a Paubox Email Recipient Doesn’t Support Encryption?


Wrapping it up

More and more email providers are moving towards TLS, but there are still legacy emails that don't support it. It's estimated that as much as 10% of emails do not support TLS encryption. So if you're sending any sensitive information, it's doubly important that you make sure that both the sending and receiving email providers support TLS to lower the risk of your email getting hijacked.


SEE ALSO: Paubox Eliminates Obsolete TLS Protocols, Follows NSA Guidance



Try Paubox Email Suite for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.