Automate Secure Outbound Email Sending with SecureLine
Frequently we are approached by customers who have automated systems that need to send out secured emails on demand and without any manual interaction. These could be web site response systems for sensitive information, health care labs emailing results which need to meet HIPAA compliance, or other situations where the email messages must all be secured.
LuxSci’s SecureLine service provides a means for encrypting some or all outbound email messages using any combination of 4 different email encryption techologies: SMTP TLS, PGP, S/MIME, and SecureLine Escrow (secure message pickup).
- PGP and S/MIME encryption require “public keys” for the recipients be on hand — this is not possible when the recipients could be “any random person”.
- TLS is a quick and easy mechanism for delivering messages securely; however, it requires that the recipient’s email servers support this technology. Most servers do not.
- SecureLine Escrow is a solution that can be used for any recipient using any email service — the recipient goes to a secure web portal to read the messages after answering a security question to verify their identity.
The Chicken and the Egg
When sending secure messages to arbitrary recipients, customers typically fall back to using SecureLine Escrow for all of the messages, as that is guaranteed to work for everyone. However, before a message can be sent to a recipient using Escrow, a sender-supplied Question and Answer must be configured for use in identifying the recipient when s/he picks up the message. This can be done by having a default question and answer for everyone; however, that is not very secure.
LuxSci provides two mechanisms by which customers can specify and manage unique questions and answers for all of their recipients when sending messages from automated systems.
The Address Book API
If the sender has an entry for the recipient in his/her LuxSci Address Book, and that address book entry contains a SecureLine Escrow Question and Answer, then this can be used when messages are sent either via WebMail or via SMTP.
LuxSci provides a SOAP-based “User API” that allows customers to perform many actions for their users in an automated fashion. This includes creating, editing, downloading, and removing Address Book entries. Using the User API, customers can automatically keep their recipient lists updated and synchronized with their LuxSci Address Books(s), complete with SecureLine Escrow security information. So, when the automated secure messages are sent, that information will be available for use.
Pros and Cons of the User API method:
- Programming a SOAP-based API requires some work
- Changes made to the Address Books via the API may take up to 5 minutes to propagate to outbound email servers — so you cannot use the API and then expect to send secure messages using that updated information immediately.
- Since the API updates your Address Book, all that data is available in LuxSci’s Web-based User Interface (i.e. for composing messages in WebMail or for browsing) and is backed up automatically. These address books can also be shared among users in your account.
More information for existing customers on our User API can be found in our User API Help.
Sending Escrow Data in Your Outbound Email Messages
The other mechanism available to customers to specify SecureLine Escrow Question and Answer data on a per-message basis. This is done by adding additional email headers to their outbound email messages. Each added header would specify the Escrow Question, Answer, and Message Expiration Date for one recipient of the message — 3 recipients could mean 3 added headers.
Pros and Cons of the Email Header method:
- As the Escrow Data is sent with the message, there is no propagation delay or dependency on Address Books.
- Escrow Question and Answers provided trump any others that may be available in the system.
- Use of custom Escrow headers causes outbound email to be automatically encrypted (if encryption of all outbound email is not already enforced). This allows selective use of encryption.
- Not all recipients need to be defined in headers; those that are not are sent to using normal methods. This could, for example, allow you to specify people using Escrow and allow the system to use TLS, PGP, or S/MIME for everyone else, as appropriate.
- Adding custom headers to outbound email messages is much simpler than SOAP programming.
- No record of the recipients, questions, and answers is left in any Address Book.
- The Special Custom Headers are stripped away; recipients would never see these.
Existing customers with SecureLine can read more about this feature in our help: SecureLine: Sending Escrow Questions and Answers in Custom Mail Headers when Sending Messages via SMTP.