Email Encryption Opt Out Now Available for Outlook and Other Email Programs
A few weeks ago, we introduced the option for users in security-enabled accounts (such as users subject to HIPAA compliance requirements) to determine for themselves which messages need to be encrypted and which do not. See: HIPAA Compliant Email – You Decide Which Messages Need Encryption
- Premium Mobile Sync users on mobile devices
- Customers using SMTP from mobile devices
- Customers using SMTP from most email programs (e.g. Outlook, Thunderbird, Mac Mail, etc.)
How SecureLine Encryption Opt Out Works
When sending from LuxSci’s web interface, users can opt out by simply “unchecking” the “Secureline Ecnryption” checkbox in their email composition area. Users in HIPAA-compliant accounts will also have to confirm that the message has no ePHI upon sending. This is discussed in our previous blog post.
Outlook with the SecureLine Outlook Plugin
Users of Outlook for Windows with LuxSci’s SecureLine Outlook Plugin installed can opt out of the use of SecureLine Encryption just like they would with WebMail: uncheck the encryption checkbox and, if they are in a HIPAA account, confirm that the message contains no ePHI on sending.
Other Email Programs and Premium Mobile Sync
Users of any other email program (e.g. Outlook without the SecureLine plugin, Mac Mail, Thunderbird, Android, iPhone, etc.) or our Premium Mobile Sync service for mobile devices can also choose to opt out of SecureLine Encryption on a per-message basis. This is done by adding some additional special text to the subject of the email message (see below for details). The system detects this subject content, logs it, removes it so the recipients do not see it, and then sends the message without SecureLine encryption.
Is a message sent without SecureLine Encryption Insecure?
A message sent without SecureLine encryption is not necessarily delivered insecurely to the recipient. LuxSci uses “Opportunistic TLS” for all messages sent from all users to maximize the privacy and security of your email messages. This means that, even without SecureLine, SMTP TLS will be used to encrypt the message as it passes from our servers to your recipient’s servers … so long as the recipient’s servers also support TLS (e.g. Gmail’s servers do, AOL’s servers do not, etc.). You can use our TLS Support Checker to see if a recipient’s servers support this type of encryption. Use of SecureLine ensures that some form of encryption is always used to deliver the message (and you have administrative control over the types of encryption that can be used).
SecureLine Opt Out by adding Special Text to your Email Message Subject
Users who wish to send an email without SecureLine from an email program must add some special text to their email message subject. For example, the subject:
Here is a copy of our newsletter. | nophi
A message using the subject line above would be sent to the recipient without SecureLine encryption and with the text “| nophi” removed so that the recipient doesn’t see it.
Administrators who enable use of SecureLine Opt Out for their SMTP users choose a “keyword” and a “separator” for their users to employ when requesting that messages be sent without SecureLine. In the example above, the keyword was “nophi” and the separator was the symbol “|“. Customers can choose any case insensitive keyword that they desire (e.g. “insecure”, “nophi”, etc.) and can also choose from a variety of separators (e.g. “|”, “||”, “##”, “>>”, “/”, “\”, etc.).
When the system receives a message that:
- Contains exactly one instance of the separator
- Contains the keyword at the beginning of the left or right side of the subject line
- The message is treated as a “SecureLine Opt Out” and the original subject and recipients and other metadata are logged for viewing in the “SecureLine Opt Out” reports.
- The separator and the side of the subject with the keyword in it are removed from the subject (so the recipient does not see it).
- The message is sent without SecureLine.
This gives the sender the following choices:
- Opt out on a per-message basis
- If the sender does not explicitly opt out, the message will be sent securely by default
- All opt outs are logged (and copies sent to an auditor email address if so configured)
Note that the system is smart and if it detects a subject that does not exactly match the opt out criteria, but which might be close, it will block sending until you update the subject so that it clearly does or does not indicate opt out. E.g. misspellings of the keyword, extra separators, etc., are detected.
Control over Who can Opt Out of SecureLine Encryption
Another enhancement of the Opt Out process is the fine grained ability to control exactly who is allowed to opt out of encryption. Previously, if it was enabled, then everyone could do it. However, in many cases, only select people need the ability to opt out, or only select people need to be restricted to never opting out. For security reasons, it is best to limit opt out to only those who require it.
The SecureLine Encryption configuration areas now permit administrators to specify exactly who can use opt out:
- Anyone (the default)
- Only specific users (you select the users who can from your list of users).
- Anyone except specific users (you select the users who can’t from your list of users).
Configuring SecureLine Opt Out
SecureLine Opt Out and other SecureLine features can be configured account-wide, per-domain, and on a per-user basis. See our SecureLine Administrative Overview video to see how to configure settings on an account-wide basis.
Domains: Domain-specific configuration can be done in your “account > administration > domains > [select domain] > outbund email >SecureLine Encryption” area.
Users: User-specific configuration for SMTP opt out can be done in your “account > my preferences > security and privacy > SecureLine Encryption” area. WebMail opt out can be configured in your “account > my preferences > webmail composition > SecureLine Encryption” area.
Examples of Subject Text-Based Opt Outs
- nophi | Here is the quote you requested
- Keyword on the left side of the subject. Spaces after the keyword are valid.
- NoPHI | Here is the quote you requested
- Keyword is case insensitive. Spaces before the keyword are valid.
- nophi - its just a sales quote. | Here is the quote
- Extra text after the keyword is valid. It is logged and removed. You can use this extra text if you want to document why you are sending without SecureLine.
- Here is the quote you requested|nophi
- Keyword can be placed on the right side of the separator as well.
- Here is the quote you requested| nophi its just a sales
- You can include extra text to be removed on the right side as well, when the keyword is used.
Once again, spaces before the keyword are valid.
- Toggling Between TLS-Only and More Secure Encryption Methods
- Opt-In Email Encryption is Too Risky for HIPAA Compliance
- Are you Minimizing your Risk by using the Next Generation of Opt In Email Encryption?
- SecureLine Offers TLS-Only Enforced Outbound Email Encryption
- HIPAA Compliant Email – You Decide Which Messages Need Encryption