TLS and Email Security: An Overview
Many people don’t realize that when you send an email, its contents are often unencrypted – and in turn, vulnerable to being seen and intercepted by others. This may be fine if you are sending recipes or plans for the weekend to your friends, but many businesses want a more secure solution for communicating with their clients, prospects and other stakeholders. Moreover, a number of well-publicized email hacking incidents over the past few years have put email security in the spotlight.
Thankfully there are numerous solutions that can be put to use to protect your emails. This article looks at how one common solution, the TLS protocol, can be used as part of your email privacy and security efforts.
What is TLS?
Transport Layer Security, or TLS for short, is a network security protocol implemented across most major web browsers and many email servers. It is the successor to Secure Sockets Layer (SSL), a now-deprecated approach used from the earliest days of the Internet to secure web traffic.
What is the advantage of TLS? It is an easy, seamless way to send secure emails WITHOUT making the recipient do anything. Many email security solutions are “walled gardens” requiring action on the part of the recipient to get at your email. But when you enable TLS encryption for your outgoing emails – and the recipients are set up to receive TLS-encrypted emails, which is the case for approximately 80% of emails sent today – emails are automatically encrypted until they are opened and read by the recipient.
Originally developed by Netscape engineers, TLS has evolved considerably since its first specification in the late 1990s, with its latest 1.3 version now in the process of rolling out. It is maintained as a public standard through the Internet Engineering Task Force standards body via its RFC (Request for Comments) process. Most browsers and mail servers currently support at least its current 1.2 level of functionality, considered a minimum requirement for effective data security nowadays.
Putting TLS to work
TLS encryption is normally a function of your outbound email platform: for example, this article describes how TLS encryption is used with Microsoft’s Exchange Server platform for business.
Since TLS encryption requires the cooperation of both the sending and receiving mail servers, there are basically two ways to implement it with your outgoing emails: so-called “opportunistic” versus “forced” or “mandated” TLS.
In the case of opportunistic TLS, the recipient’s server is checked for TLS capabilities, and if there is a match, the message is sent encrypted – otherwise, it is sent unencrypted. Be aware that in the case of opportunistic TLS, there is no guarantee that the message will be encrypted.
With forced TLS, the message is not delivered unless TLS is supported.
The National Institute of Standards and Technology (NIST), a government standards body, publishes guidelines for the use of Transport Layer Security in encrypting data “in motion” between systems. Note that there may also be compliance implications for the security of data “at rest,” e.g. once it is resident on the recipient’s system.
How we can help
TLS only encrypts emails when BOTH the sender and the recipient are using TLS. Thankfully, there is a tool for checking this: our DOTS Email Validation product returns a Note Code value of 16 in cases where the recipient supports email encryption vial TLS. This allows you to choose whether or not to send encrypted emails to this recipient.
Note that TLS verification alone may not suffice for high-security or compliance applications: for example, a positive TLS reading from Email Validation may mean that the receiver’s email front end (such as their spam filter) uses TLS, but does not guarantee that emails remain encrypted all the way to reaching the recipient – nor that it remains encrypted when the data is “at rest.”
So for some mission-critical applications – such as HIPAA compliance or sensitive financial data – you may need to consider more bulletproof solutions such as a secure email portal, a dedicated encryption service, or verification of end-to-end encryption for specific recipients (such as communications between two banks).
That said, many organizations do not need to go to the expense of a dedicated encryption solution, or cannot afford to put roadblocks such as a dedicated portal between their emails and their customers – particularly for applications such as sales and marketing. If this is the case for your business, TLS encryption can represent an easy, real-time way to keep your outgoing email as secure as your recipients will allow. And with our Email Validation product, TLS verification comes bundled as part of a unified strategy to help ensure the quality of your email contact data.