Is email message transport over MAPI or HTTPS secure?

September 5th, 2017

Our latest “Ask Erik” question involves understanding what email headers save about secure message transport … especially when they list MAPI or HTTPS instead of TLS.

See also:


It can be extremely difficult and frustrating to determine if an email message was sent securely, especially if it used TLS for delivery. The reason for this is that TLS leaves no visible trace in email message. You have to look in the message headers to find out what happened.

For most cases it’s easier to look in the headers. You look for the received lines. These are lines that are put on place by every server that touches the message and they record which server they were, what time it happened and information about encryption.

Here’s some examples. You can see the TLS indications here. The latest ask Eric questioner had a problem looking at headers that went through Microsoft Outlook online. There were two very confusing received lines and he doesn’t know how to understand if they was used security or not. The first referred to a MAPI instead of TLS. This is Microsoft’s proprietary messaging API. Whenever you see MAPI these days that’s a secure protocol that goes over HTTPS, over TLS. In the old days it didn’t necessarily use security, but nowadays, and especially with Outlook online, it’s secure. It’s secure as SMTP over TLS or even more.

The other thing he observed was a reference to HTTPS instead of just TLS or MAPI. Once again, the S on HTTPS refers to a connection via a web server using a secure protocol like TLS. That hop is also secure. When you’re looking at your email headers you need to look for TLS or MAPI or HTTPS and all those things indicate secure transmission.

As we’ve discussed elsewhere, sometimes you’ll see hops that don’t have any indication of TLS at all, but that doesn’t mean that the message was sent insecurely. As transmission between servers or with transmission from the server to its cell doesn’t necessarily have to be secure if they’re isolated behind firewalls and otherwise in a safe environment. This is very common when a message passes between machines in the same server location, like between one machine at Microsoft and another machine at Microsoft or between an inbound filtering server at LuxSci and an email delivering server at LuxSci. The lack of TLS in these connections is okay and doesn’t hurt the overall security of the message.