" email security Archives - LuxSci

Posts Tagged ‘email security’

The Case For Email Security

Friday, March 21st, 2025

We all know that regular email is insecure; however, it may surprise you to learn just how insecure it really is. For example, did you know that messages you deleted years ago may be on servers halfway around the world? Or that your messages can sometimes be read and modified in transit, even before they reach their destination? Did you know that forging email is very, very easy? Can you trust what you read in an email? Email was not designed with security in mind, and as a result, many different solutions have evolved to plug the multitude of resulting issues.

This article will explain how email works, what the real email security issues are, what mitigations to these are generally in use, and what else you can do to protect your email. This is especially important in healthcare marketing where you need to have HIPAA compliant email.

Case for Email Security

Information security and integrity are essential as we use email to send confidential and sensitive information over this medium every day. While reading this article, imagine how these security problems could affect your healthcare practice, business or organization, as well as your personal life, and your identity if you have not already.

How Email Works

This section describes the general mechanisms and paths an email message takes from sender to recipient. This should give you an overview of the different protocols (languages) involved, the different types of servers involved, and the distributed nature of email networks. The examples presented are representative of many standard email solutions but are by no means exhaustive.

Sending an Email Message

Sending an email message is like sending a postal letter. When sending a letter, it is dropped off at a local post office. The local post office looks at the address and determines which regional post office the letter should be forwarded to. Then, the regional post office looks at the address and determines which local post office is closest to the recipient. Finally, the recipient’s local post office delivers the letter to its recipient. Computers are like “post offices,” and the “Simple Mail Transport Protocol” (SMTP) is the “procedure” that an “email post office” uses to figure out where to send the letter next (i.e., the “next hop”). Any program that sends an email message uses SMTP to deliver that message to the next “post office” for “relaying” it to its final destination.

Sending Email via SMTP

Most people send mail in one of two ways – with a web-based interface like Gmail, Outlook 365, or LuxSci Secure Email, or with an “email program” program like Outlook, Thunderbird, or Apple Mail.

When sending a message with an email program on a personal computer (or phone or tablet), you have to specify an “SMTP server” so that the email program knows what computer to connect to for sending the message. This SMTP server is like a local post office. The email program talks directly to the server using the protocol (language) known as SMTP. This is like dropping off a letter at the local post office.

When using Web-based email, the personal computer communicates with a web server. The “language” the internet connection uses is HTTP – “HyperText Transfer Protocol.” When sending a message with Web-based email, the web server takes care to contact an SMTP server and delivers the message to it.

Delivery of email from your SMTP Server to your recipient’s SMTP Server

When an SMTP server receives an email message, it first checks if an account for the message recipient is configured on the server itself. If there is such an account, the server will drop the message in that person’s inbox (or follow other more complex user-defined rules). If there is no local account for that recipient, the server must “relay” the email message to another SMTP server closer to the recipient. This is analogous to how a local post office forwards letters to a regional post office unless it is for someone served by the post office. (Post offices don’t work this way, but this analogy easily explains the concept.) This process is known as “SMTP relaying.”

How does your SMTP Server know where to relay the message?

If the recipient’s email address is “bob@luxsci.net,” the recipient’s domain name is “luxsci.net.” Part of the DNS settings for the recipient’s domain includes a list of SMTP servers that should be able to accept email for this recipient. Multiple servers can be listed and ranked in terms of “priority.” The highest priority SMTP server listed is the recipient’s actual inbound SMTP server; the others are “backup inbound SMTP servers.” These backup servers may merely either queue email for later delivery to the recipient’s actual SMTP server or perform the same real-time delivery actions as the main SMTP server (i.e., they are redundant).

SMTP Servers

Many scenarios govern an email message’s path from the sender’s to the recipient’s SMTP Server. Some of these include:

  1. The sender’s server successfully contacts the recipient’s server and sends the email message directly (black line in the figure).
  2. The sender’s server can not contact the recipient’s actual SMTP server (maybe the recipient’s server is busy, down, or has some other connection problem). In this case, the sender’s server tries to contact and deliver the message to the recipient’s first backup server.
  3. The sender’s server can not contact the recipient’s actual SMTP server or its first backup server. In this case, the sender’s server tries to contact and deliver the message to the recipient’s second backup server.
  4. The sender’s server can not contact any of the recipient’s servers. In this case, it will queue the message and try to send it later. It will keep retrying periodically for several days until it succeeds in sending or gives up.

Any message delivered to the backup servers which queue email could go through the same process of trying to contact the recipient’s main SMTP server or higher priority backup servers. Backup servers may also queue emails for later sending or process the email themselves. (Note that a recipient may have zero or more backup servers, not necessarily two as in this example).

Note: a sender’s and recipient’s email systems may have arbitrarily complex server configurations actually handling the delivery process and performing operations such as: backups, filtering, forwarding, queueing, etc. Any number of servers may be involved and and number of copies or backups of messages may be made.

Once the email message arrives at the recipient’s SMTP Server and is finally delivered to the recipient’s inbox, the recipient may pick up the message and read it whenever they choose (as discussed below).

Each server receiving your message adds its “Received” stamp to the message headers. This stamp identifies what server received the message, at what time, and from what other server. This information allows the recipient to trace a message’s entire journey.

The takeaway from this discussion so far is that:

  1. Most email servers communicate with each other using SMTP.
  2. It’s impossible to tell how long it will take an email message to get from sender to recipient. You don’t know how busy the servers are, how much traffic there is on the internet, what machines are down for maintenance, etc.
  3. Messages may sit in queues on any number of servers for any amount of time. Some of these servers may belong to third parties (i.e., they may not be under the purview of either the sender or the recipient).
  4. Recipients can determine the internet address and name of the computer from which you send your messages, even if a spammer spoofs your email. (See Tracing the Origins of an Email Address and Hiding It)

Retrieving Email From an SMTP Server

When an email message is received, it sits in a file (or database) in an email server. You must access this content if you wish to view this email message. Any computer wishing to access the email must speak one of the email server’s languages. With some exceptions (like MS Exchange, ActiveSync, and direct use of databases), there are only two main languages that email servers understand (for email retrieval, as opposed to email sending, for which they use SMTP). One is called the “Internet Message Access Protocol” (IMAP). The other is called the “Post Office Protocol” (POP). (We will not discuss the details here, but you may be interested in Understanding Email Services for information about them.)

Downloading email

As a recipient, you can generally retrieve your email using a web-based interface known as “WebMail” or an “email program” program, such as Microsoft Outlook, running on your personal computer or device. The programs will talk directly to your email server and speak IMAP, POP, or something similar. With WebMail, your computer will talk to a WebMail server using a web connection (speaking HTTP); the WebMail server will, in turn, talk to your email server using POP or IMAP or something similar (like a direct database connection).

The Lack of Email Security

Email is inherently insecure. In the following sections, we will see just how insecure it is. At this stage, it is essential to point out the insecurity in the email delivery pathway just discussed:

  • Web-based Email: If the connection to the Web-based emai server is “insecure” (i.e., the address is http:// and NOT https://), then all information, including the username and password, is not encrypted as it passes between the WebMail server and your computer.
  • SMTP: SMTP does not encrypt messages (unless the servers in question support SMTP TLS). Communications between SMTP servers may send messages in plain text for any eavesdropper to see. For example, if your email server requests your username and password to “log in” to the SMTP server to relay messages to other servers, these may be sent in plain text and subject to eavesdropping. Finally, messages sent via SMTP include information about which computer they were sent from and what email program was used. This information, available to all recipients, may be a privacy concern.
  • POP and IMAP: The POP and IMAP protocols require you to send your username and password to log in; these credentials are not encrypted (unless you use an SSL-secured connection). So, your messages and credentials can be read by any eavesdropper listening to the flow of information between your personal computer and your email service provider’s computer.
  • BACKUPS: Email messages are stored in plain, unencrypted text on SMTP servers. Data backups on these servers may be made anytime, and administrators can read any data on these machines. The email messages you send may be saved unexpectedly and indefinitely and read by unknown persons.

These are just a few of the security problems inherent in email. In the next section, we will talk about communications security problems in general. Later on, we will see how these problems are commonly solved.

Security Threats to Your Email Communications

This section describes many of the common email security problems for HIPAA marketing campaigns:

Eavesdropping

The internet is a big place with a lot of people on it. It is easy for someone who has access to the computers or networks through which your information is traveling to capture and read this information. Like someone in the next room listening in on a phone conversation, people using computers “near” the path an email takes through the internet can potentially read and copy messages.

Identity Theft

If someone can obtain the username and password that you use to access your email servers, they can read emails and send false email messages as you. Very often, these credentials can be obtained by eavesdropping on SMTP, POP, IMAP, or Webmail connections, by reading email messages in which you include this information, or through other means.

Invasion of Privacy

If you are very concerned about your privacy, you should consider the possibility of “unprotected backups.” You may also be concerned about letting recipients know the IP address of your computer. This information may tell in what city you are located or even find your address in some cases! This is not usually an issue with WebMail, POP, or IMAP but is an issue with the transport of email, securely or insecurely, from any email client over SMTP.

Message Modification

Anyone who has system administrator permission on any of the SMTP servers that the message visits can not only read your message, but they can delete or change the message before it continues to its destination. The recipient cannot tell if the email message has been altered! If the message were merely deleted, they wouldn’t even know it had been sent.

False Messages

It is very easy to construct messages that appear to be sent by someone else. Many viruses take advantage of this situation to propagate themselves. In general, it is tough to be sure that the apparent sender of a message is the actual sender- the sender’s name could have been easily fabricated. See “Who Stole My Email Address?”

Message Replay

Just as a message can be modified, messages can be saved, modified, and re-sent later! You could receive a valid original message, but subsequent faked messages could appear valid. This has significant implications for automated systems that ingest email and perform automated actions based on their contents.

Unprotected Backups

Messages are usually stored in plain text on SMTP Servers. Thus, backups of these servers’ disks usually contain plain text copies of your messages. As backups may be kept for years and can be read by anyone with access to them, your messages could still be exposed in insecure places even after you think that all copies have been “deleted.”

Repudiation

Because regular email messages can be forged, there is no way to prove that someone sent a particular message. This means that even if someone DID send a message, they could successfully deny it. This has implications for using email for contracts, business communications, electronic commerce, etc. See DKIM: Fight Spam and Forged Email by Signing your Messages.

Symmetric and Asymmetric Encryption

To understand how we can mitigate the email security problems described above, a basic knowledge of the two main types of encryption will be advantageous. This section presents these concepts in a simple, straightforward form.

Symmetric and Asymmetric Encryption

Symmetric Encryption

In symmetric encryption, you and your friend share a “secret” key. Using this key, you can encrypt a message into “cyphertext.” Cyphertext looks like a random sequence of characters and is meaningless to anyone unless they also have the secret key. Then, they can decrypt the cyphertext back into the original message and read it.

Using symmetric key encryption, eavesdropping and unwanted backups of messages are no longer a problem. It also becomes more challenging for someone to modify messages in transit in a meaningful way. An example of a popular method used for symmetric encryption is AES-256.

The problem with symmetric key encryption is that the secret key needs to be shared. Unless meeting in person, how do you securely communicate this key? What if you want to send a secure message to someone on the other side of the world? How do you quickly get them the secret key in a way that eavesdroppers can’t detect?

Message Digests/Authentication Codes

A “Message Digest” or “Message Authentication Code” is a straightforward concept. The message passes through an algorithm that creates a relatively short sequence of characters (maybe 128 or 256). This sequence of characters is a “fingerprint” of the message. Any change in the message would produce a significantly different fingerprint. There is no way to reverse engineer the original message from its fingerprint. It is almost impossible to find two messages that yield the same fingerprint (just like trying to find two strangers with the same fingerprint). An excellent modern function for this process is “SHA256”.

Message Digests are quick ways to check to see if a message has been altered. If you have a digest of the original message and compare it with a digest of the message you just received and they match, then you know that the message is unaltered.

Asymmetric Encryption

In asymmetric encryption, also known as “public key” encryption, each person has TWO keys. Any cyphertext created using one of the keys can ONLY be decrypted using the other key. For example, say you have keys “K1” and “K2.” If you encrypt your message with K1, then ONLY K2 can be used to decrypt it. Similarly, if you encrypt using K2, ONLY K1 can be used to decrypt it. This is distinct from symmetric key encryption, where only one key performs both functions on the same message.

In asymmetric key encryption, the two keys that each person possesses are commonly named the “private” and “public” keys because the “public” one is published or given out freely to anyone who wants a copy, and the “private” one is kept secret. The security of asymmetric key encryption depends on whether the private key is kept secret.

Asymmetric key encryption allows you to do many clever things:

  • Send an Encrypted Message: To send a secure message to someone, all you have to do is encrypt it with their public key! Only the intended recipient with the matching private key can decrypt and read the message. This solves the problem of eavesdropping and the problem of sending secret keys that is inherent in symmetric key encryption. Instant email security.
  • Prove You Sent a Message: To prove to someone that you sent a message, you can encrypt the message (or just a piece of it) with your private key. Then, anyone can decrypt it with your public key and read the contents. The fact that your public key decrypts the message proves that only you could have sent it (or someone with your private key).
  • Sign a Message: A message signature proves that you sent the message AND allows the recipient to determine if the message was altered in transit. This is done by using your private key to encrypt a message digest at the time of sending. The recipient can decrypt this digest and compare it to a digest of the received message. If they match, the message is unaltered and was sent by you.
  • Encrypted, Signed Messages: The most secure form of communication is first to add a signature and then encrypt the message plus the signature with the recipient’s public key. This combines all of the benefits of all techniques: security against eavesdropping and unexpected storage, proof of sender, and proof of message integrity.

Email Security via TLS

The easiest thing you can do to improve your email security is to use an email provider that supports “Transport Layer Security” (SSL/TLS) for their Webmail, POP, IMAP, and SMTP servers.

TLS uses a combination of asymmetric and symmetric key encryption mechanisms. If you connect to a server using TLS, the following things happen:

  1. The server uses its private key to prove that it is the server you are trying to connect to. This lets you know that you are not connecting to a “man in the middle” trying to intercept your communications.
  2. You send the server your public key.
  3. The server generates a “secret key” and sends it to you encrypted using your public key.
  4. You and the server then communicate using symmetric key encryption using this shared secret key. (Symmetric key encryption is faster than asymmetric key encryption).

The benefits of TLS are twofold:

  1. You can determine if you are connecting to the right server, and
  2. You and the server can communicate securely.

If you get any warning messages when connecting to a server using TLS, you should think twice about ignoring them. While your provider may have a small technical problem causing the warning, they also indicate that communications are being intercepted. These warnings usually indicate one of the following:

  1. The server’s SSL “certificate” (i.e., the public/private key pair) has expired.
  2. Some of the information in the certificate doesn’t match your expectations. E.g., the certificate was issued for a different server name than the one you are trying to connect to. (You could be inadvertently connecting to the wrong server.)
  3. An untrusted agency issued the certificate.
  4. There is a “man in the middle” eavesdropping on your connection.

SSL/TLS certificates are (generally) issued by third-party agencies. These third-party companies do a “background check” on companies that request certificates and only issue certificates if the companies have a right to them. The certificate can include the company’s name, issuing company’s name, and the name of the server to which it is issued. When you connect to an SSL server, you can verify this embedded information and the fact that it was issued by a third-party company that you trust. If the certificate is valid, you can have a high degree of confidence that the server you are connecting to is the one you want to reach.

Using TLS ensures that communications between your personal computer and your email service provider’s servers will be encrypted. The message contents, usernames, and passwords will be hidden from eavesdroppers but only hidden from eavesdroppers between you and your service provider!

TLS services do not protect messages once they arrive at the SMTP server or when they leave an SMTP server and head to their destinations (unless your provider can and is using SMTP TLS to talk to the recipient’s SMTP server). So, it doesn’t generally protect the message contents, but it completely protects usernames and passwords from detection. This is important because it prevents identity theft, forged messages, etc.

TLS is very easy to use. It usually only involves clicking a few checkboxes in the configuration of your email client. It is transparent to your recipients – you can use TLS for these services even if your recipients can not or do not. These measures protect you and your password. We strongly encourage using TLS for email communications (and any communications over the internet) whenever possible.

Email Privacy with Anonymous SMTP

In previous sections, we wrote that when you send email via any email client (not usually WebMail, though some provider’s WebMail also does this), your computer’s internet IP address is included in the message for all recipients to see. Depending on your Internet Service Provider, this information may be used to determine your location! This could be a serious issue for people very concerned about their privacy. Other information like the email program you use is also visible to the recipient.

Anonymous SMTP services, or re-mailers, provide a good way of keeping all of the functionality of SMTP that you require while giving you back your privacy. These services typically receive your message via (Authenticated) SMTP (ideally, they would also support SMTP over TLS, as described above) and then “scrub” the message, removing all information about the computer’s address, the email program, and any other non-standard information. These services then re-email your scrubbed message to the intended recipients.

The result is that the recipients get the message just as they would have without the “Anonymous” service, except that they can only track the message back to your Anonymous SMTP server. They know who you are, based on your email address and your message content, but they have no way of knowing where you are or what email program you are using.

Most anonymous SMTP services log all information they scrub out of messages and track all activity. So, while your recipients do not know where you are, your email service provider does. This type of service prevents any real benefit to people who send unsolicited or forged emails. Their service provider can quickly respond to complaints or abuse, identify the sender, terminate the account, and bring legal measures to bear.

It provides a level of privacy that is functionally equivalent to sending through a WebMail interface.

LuxSci offers Anonymous SMTP services to all clients who have SMTP Relaying services. This service is also compatible with LuxSci’s SMTP over TLS services and only requires changing the port you use to connect to LuxSci’s SMTP servers.

Email Security via Asymmetric Key Encryption (PGP and S/MIME)

While TLS protects your password and message contents to some extent, it does not solve any other problems we have discussed: repudiation, encryption, unwanted backups, message modification, etc. This is because TLS only protects the message path as it is transmitted between you and your server and (maybe) between servers. It does not protect messages stored on disk or transmitted between servers that do not both support TLS.

The ultimate solution is to use asymmetric key encryption to provide message signatures and encryption. This completely solves the issues of:

  • Eavesdropping (everything is always encrypted)
  • Message modification (message digests are used)
  • Message replay (you can include a timestamp in the signature)
  • Repudiation (signatures allow proof of who sent the message)
  • Unprotected backups (everything is always encrypted)

Asymmetric key encryption should be used with SSL so that your username and password (and message headers such as the subject) are also protected. Why? These credentials are not part of the message body and thus would not be encrypted along with the message.

Fortunately (or unfortunately), there are two widely used forms of asymmetric key encryption for email: S/MIME and PGP (see how to set PGP up). Both allow you to add signatures or encryption to your messages. PGP is compatible with standard email clients. S/MIME is built into most email programs, but you must obtain a S/MIME certificate from a third-party company or LuxSci.

Interoperability Problems

PGP and S/MIME solve many email security problems, but they also create another: interoperability. One interoperability issue is that PGP and S/MIME are entirely incompatible. If you are using PGP and your friend is using S/MIME, you will not be able to send each other secure messages.

That said, PGP has been an internet standard (OpenPGP – RFC 2440) since 1997. PGP-encrypted email accounts for a significant fraction of the current encrypted email traffic on the internet. So, using PGP will make you compatible with many people. However, S/MIME is easier to use. It is installed in most email programs and the distribution and management of certificates is often easier than with PGP. Some email clients, such as Microsoft Outlook, can be configured to use BOTH PGP and S/MIME so that you can correspond securely using whatever method is necessary.

See also: How to install S/MIME and PGP Encryption Certificates into Major Email Clients

The other interoperability issue involves exchanging keys. You need to know the public key of the recipient to send them an encrypted message. The public key is also needed to prove that a message was signed or unaltered. So it is necessary to trade public keys before secure communication can begin. There are various ways to trade keys (including email). PGP offers “key servers” from which your correspondents’ keys can be downloaded to make the process easier. However, not everyone has their PGP keys listed on a key server, let alone the same key server. Even more challenging is that not everyone uses PGP. The key exchange issue is still an impediment to sending secure messages — especially if you have to send them quickly.

Keys are usually communicated ahead of time or key management is taken care of by a secure email service provider.

Email Security Compatible with Everyone: “Secure Message Pickup”

Secure Message Pickup Encryption uses a trusted “encryption middleman” to provide almost the same level of email security offered by asymmetric key encryption but with universal compatibility. Here is how it works:

  1. The sender connects to the middleman’s SMTP or WebMail portal on a secure TLS connection.
  2. The middleman validates the sender.
  3. The sender creates a message.
  4. The message sender chooses some method for verifying the recipient’s identity. This could be via a password, a question and answer, a login to a portal, etc.
  5. The middleman encrypts the message (e.g., using AES256) and stores it on his server.
  6. The middleman sends a plain text message to the recipient with only a secure link to the middleman’s web portal and a unique message password that is part of the encryption key. The middleman then ‘forgets’ this password so that he cannot decrypt the message until he gets the password back from the recipient.
  7. The recipient connects to the middleman’s web portal over a secure TLS connection and logs in.
  8. The middleman decrypts the message and presents it to the recipient.

The encryption middleman handles all the dirty work; it doesn’t matter if the sender uses PGP and the recipient uses S/MIME. In fact, it doesn’t matter if either uses encryption at all! All that the sender and recipient need is a web browser and regular email service. The middleman takes care of everything else.

How does it solve the security problems we mentioned earlier?

  1. Eavesdropping: No one can eavesdrop on the message because the sender and recipient connect to the middleman on a secure TLS connection.
  2. Identity Theft: No one can steal the sender’s login or the recipient’s verification information because both the sender and the recipient use TLS connections.
  3. Invasion of Privacy: The recipient knows nothing about the sender’s computer, email client, or location. She only knows that he used the middleman.
  4. Message Modification: No one can modify the message because it never leaves the middleman’s server and is encrypted and signed while residing there.
  5. False Messages: The message is only accessed on the middleman’s server, so no one else can pretend to send it.
  6. Message Replay: No one can re-send the message because it never leaves the middleman’s server.
  7. Unprotected Backups: The message is encrypted when stored, so it is secure even in backups.
  8. Repudiation: The recipient knows that the sender sent the message because the middleman validated him, and digital signatures are used.

In addition, the middleman can keep a log of who accesses the message and at what times. Thus the sender can audit the message to see who has viewed it.

Notice that the message is secure and anonymous. It is encrypted and stored on the middleman’s servers, so it is not subject to the security of intermediate relaying servers. Only the middleman can encrypt and decrypt the message, and only authorized recipients can access the message. The recipient knows nothing about the sender’s computer, only that he used the middleman. As long as the middleman is trustworthy, the message is entirely secure, completely anonymous, and completely compatible.

LuxSci’s SecureLine service provides complete “Escrow” encryption as a form of Secure Message Pickup and options for PGP, S/MIME, and TLS.

SMTP TLS

There is a growing trend for SMTP Servers to support “opportunistic TLS.” If both the sending server and the recipient server support opportunistic TLS, they will automatically negotiate a secure TLS-encrypted connection and transport your email message. This has the effect of securing server-to-server delivery of email across the internet. This is great, except:

  1. Some email providers do not yet support Opportunistic TLS
  2. The email will be transmitted insecurely if it is not supported or the security setup fails.

An alternative to opportunistic TLS supported by LuxSci as part of SecureLine is “Forced TLS.” With Forced TLS,

  1. Email going to a recipient whose servers support opportunistic TLS will be delivered via TLS or not delivered at all until TLS is working.
  2. Email that is going to a recipient whose server does NOT support opportunistic TLS will automatically “fall back” to the use of some other form of encryption (e.g., Secure Message Pickup).

When TLS is “good enough” for you, it is ideal, as it is the easiest form of encryption to use. It is “business as usual,” which everyone likes. So, if TLS is good enough, use TLS with recipients who support it and use other means with those that do not.

Conclusion

Email is, in general, completely insecure! The primary email security issues include:

  1. Eavesdropping
  2. Identity Theft
  3. Invasion of Privacy
  4. Message Modification
  5. False Messages
  6. Message Replay
  7. Unprotected Backups
  8. Repudiation

Ways to Protect Your Emails

TLS: It is easy to use TLS to secure the communications between your computers and the email service provider. This works no matter who your recipients are. TLS improves email security in these ways:

  1. It establishes that you are contacting your service provider’s computers and not someone else’s
  2. It encrypts the username and password you use to log in to these servers. This mitigates identity theft and other issues.
  3. It protects your message from eavesdroppers between your computer and your SMTP server.

Anonymity: If you have access to an Anonymous SMTP server, you have an easy way to increase your internet privacy. Anonymous SMTP provides:

  1. IP address privacy so that message recipients cannot determine your computer’s internet address (and thus your location).
  2. Email client privacy so that the recipients cannot determine what email client is used.
  3. A means to strip out any other non-standard “email header” data that may be lurking in your outbound messages.

PGP and S/MIME: PGP and S/MIME keys use asymmetric key encryption to protect the contents of your messages throughout their complete journeys. They improve email security by:

  1. Protection against eavesdropping and unwanted backups
  2. Message Digests to detect whether messages have been altered in transit
  3. Signatures to prove sender authenticity

We highly recommend the use of TLS for email communications. Unfortunately, PGP and S/MIME are not being used as extensively as they should be. More companies are using TLS and secure message pickup to encrypt communications. The impediment of setting up, enforcing usage, and training employees on PGP and S/MIME is more challenging than the benefit of use. The cost savings gained by using secure messaging are challenging to quantify, especially as most companies assume that they don’t (or won’t) have significant problems in this arena. These assumptions are changing as the threat of security issues is growing. Technologies such as S/MIME and PGP are gaining more traction with the general public.

Secure Message Pickup encryption avoids the impediments of PGP and S/MIME encryption while providing complete email security, anonymity, and other features. This has no learning curve because it can be easily integrated into an existing email system. Anyone concerned about security but doesn’t know how to set it up can use Secure Message Pickup as quickly as they use WebMail. In addition, it can communicate securely with anyone with an internet connection and regular email.

Forced TLS provides a means of communication with recipients whose email servers also support TLS. If the added benefits of having the message always encrypted, even at rest, are not requirements, Forced TLS is a good option.

Unlike computer break-ins and other security problems, problems with email security are tough to detect. You cannot tell if someone is reading your email or modifying messages subtly until it is too late. You cannot quantify the cost of email and information security problems until it is too late.

Still have questions? Contact us.

Tags: asymmetric encryption, eavesdropping, email security, false messages, http, identity theft, imap, invasion of privacy, message modification, Message Replay, opportunistic TLS, pgp, pop, repudiation, s/mime, Simple Mail Transport Protocol, smtp, SMTP relaying, smtp server, ssl, ssl certificate, symmetric encryption, tls, Unprotected Backups
Posted in AAA Featured Articles, LuxSci Library: Security and Privacy
14 Comments »

What exactly does HIPAA say about Email Security?

Wednesday, February 26th, 2025

Performing daily business transactions and communications through electronic technologies is accepted, reliable, and necessary across the nation’s healthcare providers, payers and suppliers. As a result, email has become a standard in the healthcare industry as a way to conduct business activities that commonly include:

  • Interacting with patients
  • Real time authorizations for medical services
  • Transcribing, accessing and storing health records
  • Appointment scheduling
  • Referring patients
  • Explanation of benefits
  • Marketing offers
  • Submitting claims to health plan payers for payment of the services provided

Collaborative efforts amongst healthcare providers have improved the delivery of quality care to patients in addition to the recognized increase in administrative efficiency through effective use of email and other types of digital communication. Patients are becoming more and more comfortable with emailing their physician’s office to schedule an appointment, discuss laboratory results, or request refills on medication. Medicare and some other insurance payers also recognize and pay for virtual care where the health provider and patient interact over video (telemedicine).

Using digital communications, undoubtedly, poses concerns about the privacy and security of an individual’s information. In healthcare, the confidentiality of a patient’s information has been sacred since the days of the Hippocratic Oath (Hippocrates – the Father of Medicine, 400 B.C.). Today, merely taking an oath to respect one’s privacy has been overshadowed by regulations that govern how certain healthcare establishments must handle an individual’s health information. So, if a healthcare organization employs email as a means of communicating medical and/or mental health data to appropriate parties, including patients and customers, they must also ensure that information is well safeguarded.

This article addresses the specific issues that healthcare provider, payers and suppliers must address in order to be in compliance with HIPAA and HITECH certified. It will also lay out how LuxSci enables healthcare organizations to meet these requirements though HIPAA compliant email outsourcing.

Overview of HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implemented new rules for the healthcare world. Mandating compliance with its Privacy and Security Rules, the federal government is committed to enforcing patients’ rights. Industry professionals – financial, administrative and clinical – are no strangers to the regulatory compliance culture. HIPAA laws apply to a covered entity; i.e. healthcare providers, suppliers, clearinghouses and health plan payers that meet certain conditions. In essence, most providers are covered entities if they employ digital communications, meaning they function by storing and exchanging data via computers through intranets, Internet, dial up modems, DSL lines, T-1, etc. Additionally, HITECH extends the requirements of HIPAA to any business associate of a covered entity and to all business associates of  business associates (all the way down the line) who may come into contact with Protected Health Information originating from a covered entity.

HIPAA email security applies specifically to protected health information, not just personal information. Protected Health Information (PHI), as defined in HIPAA language, is health information of an identifiable individual that is transmitted by electronic media; maintained in any electronic medium; or transmitted or maintained in any other form or medium. For example, all administrative, financial, and clinical information on a patient is considered PHI and must abide by the following standards:

  • Privacy Standards: The HIPAA Privacy Rule sets standards for protecting the rights of individuals (patients). Covered entities must follow the laws that grant every individual the right to the privacy and confidentiality of their health information. Protected Health Information is subject to an individual’s rights on how such information is used or disclosed.
    Privacy Standard Key Point: Controlling the use and disclosure of oral, written and electronic protected health information (any form).
  • Security Standards: Taking the Privacy Rule a step further, HIPAA implemented the Security Rule to cover electronic PHI (ePHI). To this end, more secure and reliable information systems help protect health data from being “lost” or accessed by unauthorized users.
    Security Standard Key Point: Controlling the access to electronic forms of protected health information (not specific to oral or written).

The Privacy and Security Rules focus on information safeguards and require covered entities and their business associates to implement the necessary and appropriate means to secure and protect health data. Specifically, the regulations call for organizational and administrative requirements along with technical and physical safeguards.

Provisions of the HIPAA Email Security Rule

The HIPAA language uses the terms required and addressable. Required means that complying with the given standard is mandatory and, therefore, must be complied with.  Addressable means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting.  Important Note: Addressable does not mean optional.

With regard to addressable, an organization should read and decipher each Security standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization.

The General Rules of the Security Standards reflect a “technology-neutral” approach. This means that there are no specific technological systems that must be employed and no specific recommendations, just so long as the requirements for protecting the data are met.

Organizational requirements refer to specific functions a covered entity must perform, including the use of business associate contracts and the development, documentation and implementation of policies and procedures.

Administrative requirements guide personnel training and staff management in regard to PHI and require the organization to reasonably safeguard (administrative, technical and physical) information and electronic systems.

Physical safeguards are implemented to protect computer servers, systems and connections, including the individual workstations. This section covers security concerns related to physical access to buildings, access to workstations, data back up, storage and obsolete data destruction.

Technical safeguards affect PHI that is maintained or transmitted by any electronic media. This section addresses issues involving authentication of users, audit logs, checking data integrity, and ensuring data transmission security.

Risk Analysis

Risks are inherent to any business and, therefore, with regard to HIPAA, each organization must take into consideration the potential for violating an individual’s right to privacy of their health information. HIPAA allows for scalability and flexibility so that decisions can be made according to the organization’s approach in protecting data. Covered entities and their Business Associates must adopt certain measures to safeguard PHI from any “reasonably anticipated” hazards or threats. After a thorough yearly risk analysis, a yearly assessment of the organization’s current security measures should be performed. Additionally, a cost analysis will add another important component to the entire compliance picture. A plan to implement secure electronic communications starts with reviewing the Security Rule and relating its requirements to the available solution and your business needs.

HIPAA Administrative and Physical Safeguards

Below are the administrative and physical safeguards as outlined in the Federal Register. These requirements are items that must generally be addressed internally, even if you are outsourcing your email or other services.  We will discuss these safeguards in more detail below.

Standard: ADMINISTRATIVE SAFEGUARDS Sections Implementation Specification Required or Addressable
Security Management Process 164.308(a)(1) Risk Analysis R
Risk Management R
Sanction Policy R
Information System Activity Review R
Assigned Security Responsibility 164.308(a)(2) R
Workforce Security 164.308(a)(3) Authorization and/or Supervision A
Workforce Clearance Procedures R
Termination Procedures A
Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Function R
Access Authorization A
Access Establishment and Modification A
Security Awareness and Training 164.310(a)(5) Security Reminders A
Protection from Malicious Software A
Log-in Monitoring A
Password Management A
Security Incident Procedures 164.308(a)(6) Response and Reporting R
Contingency Plan 164.308(a)(7) Data Backup Plan R
Disaster Recovery Plan R
Emergency Mode Operation Plan R
Testing and Revision Procedure A
Applications and Data Criticality Analysis A
Evaluation 164.308(a)(8) R
Business Associates Contracts and Other Arrangement. 164.308(b)(1) Written Contract or Other Arrangement R
Standard: PHYSICAL SAFEGUARDS Sections Implementation Specification Required or Addressable
Facility Access Controls 164.310(a)(1) Contingency Operations A
Facility Security Plan A
Access Control and Validation Procedures A
Maintenance Records A
Audit Controls 164.312(b) R
Integrity 164.312(c)(1) Mechanism to Authenticate EPHI A
Workstation Use 164.310(b) R
Workstation Security 164.310(c) R
Device and Media Controls 164.310(d) Disposal R
Media Re-use R
Accountability A
Data Backup and Storage A

Importance of Encryption for Email Communication

The security risks for email commonly include unauthorized interception of messages en route to recipient, messages being delivered to unauthorized recipients, and messages being accessed inappropriately when in storage. These risks are addressed in the Security Rule’s technical safeguards section, particularly:

  1. Person or Entity Authenticationrequired procedures must be implemented for identification verification of every person or system requesting access to PHI. This means the identity of the person seeking information must be confirmed within the information system being utilized.  It also means that shared logins are not permitted.
  2. Transmission Securityaddressable data integrity controls and encryption reasonable and appropriate safeguards.
  3. Business Associates – if you outsource your email services to another company and your email may contain ePHI in any form, then that company must be HIPAA compliant, sign a Business Associate Agreement with you, and actively safeguard your ePHI.

Each healthcare organization using email services must determine, based on technologies used for electronic transmission of protected health information, how the Security standards are met.

Addressable specifications include automatic log off, encryption, and decryption. Covered entities must also assess organizational risks to determine if the implementation of transmission security which includes integrity controls to ensure electronically-transmitted PHI is not improperly modified without detection is applicable. E.g. it is applicable for any ePHI going over the public Internet; it may not be necessary for information flowing between servers in your own isolated office infrastructure. Encryption of ePHI at rest (as it is stored on disk) is also addressable and not a requirement under HIPAA regulations; however, a heightened emphasis has been placed on encryption due to the risks and vulnerabilities of the Internet.

Ultimately, according to the Department of Health and Human Services, covered entities and their business associates can exercise one of the following options in regard to addressable specifications:

  • Implement the specified standard;
  • Develop and implement an effective security measure to accomplish the purpose of the stated standard; or
  • If the specification is deemed not reasonable and appropriate for the organization but the standard can still be met, then do not implement anything.

Reasonable and appropriate relate to each organization’s technical environment and the security measures already in place.

Questions to Consider When Choosing an Email Service Provider

When your organization is responsible for critical data such as protected health information, choosing an email provider is more than a matter of trust. Does the email service provider build on the administrative, physical and technical safeguards while delivering to its customers:

  • Signed Business Associate Agreement
  • Awareness of their responsibilities under HITECH and Omnibus
  • Solutions that meet or exceed HIPAA’s Security Standards
  • Willingness to work with you and advise you on your security and privacy choices
  • Protect data integrity
  • Flexible, scalable services – no account is too small
  • Administrative access to assign or change a user’s password
  • Controls to validate a user’s access
  • Audit controls to track user access and file access
  • Allow access to users based on role or function
  • Automatic log off after specified time of inactivity
  • Data transmission security
  • Unlimited document or email transfer
  • Ability for encryption
  • Emergency access for data recovery
  • Minimal server downtime
  • Secure data back up and storage
  • Secure data disposal
  • User friendly, web-based access without the necessity of third party software
  • Privacy in not selling or sharing its client contact information

A Scalable, Flexible, HIPAA-Compliant Email Services

LuxSci offers secure, premium email services including extensive security features, Spam and virus filtering, robustness, and superior customer service. The offerings are scalable to any size healthcare organization.

In addition to LuxSci itself protecting your ePHI by following the HIPAA Security and Privacy Rules as required by the HITECH amendment to HIPAA, LuxSci also provides a clean set of guidelines for using its services that enable your ePHI to be safeguarded; these guidelines are automatically enforced by the use of any “HIPAA Compliant” account.  If you follow these guidelines and sign LuxSci’s Business Associate Agreements, LuxSci will certify your account as HIPAA compliant and give you a HIPAA Compliance Seal.

Take a look at the table below to see examples of how LuxSci enables you to meet HIPAA’s requirements for protecting electronic communications in your organization.

Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Access Control 164.312(a)(1) Unique User Identification R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Assign a unique name and/or number for identifying and tracking user identity.”
Solution: Use of unique usernames and passwords for all distinct user accounts.  No shared logins; but sharing of things like email folders between users is permitted.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Emergency Access Procedure R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency”
Solution: PHI in email communications can be accessed from any location via the Internet. There are also mechanisms for authorized administrative access to account data.  Optional Email Archival and Disaster Recovery services provide enhanced access to email in case of emergency.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Automatic Logoff A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”
Solution: An organization can set screen savers on their desktops to log users out. Additionally, WebMail and other email access services (e.g. POP, IMAP, and Mobile) automatically log off all users after a predetermined amount of time; the WebMail session time is user- and account-configurable.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Encryption and Decryption A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: Implement a mechanism to encrypt and decrypt electronic protected health information.
Solution: All usernames, passwords, and all other authentication data are be encrypted during transmission to and from LuxSci’s servers and our clients using SSL/TLS. Additionally, SecureLine permits end-to-end encrypted email communications with anyone on the Internet, SecureForm enables end-to-end encryption of submitted web site form data, and WebAides permit encryption of sensitive documents, passwords databases, and internal blogs.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Audit Controls 164.312(b) R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Solution: Detailed audit trails of logins to all POP, IMAP, SMTP, LDAP, SecureLine,and WebMail services are available to users and administrators. These include the dates, times, and the IP addresses from which the logins were made. Auditing of all sent and received email messages is also available. SecureLine also permits auditing of when messages have been read.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Integrity 164.312(c)(1) Mechanism to Authenticate ePHI A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
Solution: To prevent unauthorized alteration or destruction of PHI, the use of SSL, TLS, PGP, and SecureLine will verify message and data integrity.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Person or Entity Authentication 164.312(d) R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Solution: Username and Password are used for access control (Two-factor verification is also available); strict control is given over who can access user’s accounts. LuxSci’s privacy policy strictly forbids any access of email data without explicit permission of the user (unless there are extenuating circumstances). Also, use of SecureLine end-to-end encryption in email and document storage ensures that only the intended recipient(s) of messages or stored documents can ever access them.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Transmission Security 164.312(e)(1) Integrity Controls A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
Solution: SSL-based encryption during the transmission of data to/from our clients for WebMail, POP, IMAP, SMTP, and document storage services is provided. SMTP TLS-based encryption of inbound email at LuxSci ensures that all email sent internally at LuxSci meets “Transmission Security” guidelines and allows you to securely receive email from other companies whose servers also support TLS. LuxSci also provides SecureLine for true end-to-end encryption of messages to/from non-clients.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Encryption A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
Solution: SSL encryption for WebMail, POP, IMAP and SMTP services is provided. Additionally, encrypted document and data storage is available and use of SecureLine for end-to-end security is enforced.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Device and Media Controls 164.310(d) Data Backup and Storage R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”Solution: Daily on-site and weekly off-site backups ensure exact copies of all ePHI are included. Live data is stored on redundant RAID disk arrays for added protection. Furthermore, Premium Email Archival provides permanent, immutable storage on servers in multiple geographic locations.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Data Disposal R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”Solution: Clients can delete their data whenever desired. Additional security comes in automatic expiration of data backups (cease to exist after 1 month). Alternate expiration plans are available for large clients.

Healthcare staff using LuxSci can send and receive email from anywhere in the world using existing or new email clients or web browsers.  A comprehensive solution for a complex law – managed by your account administrators in-house or remotely by our company. Risk assessments for potential HIPAA violations can be performed by administrators through the use of audit trails. Reliability and cost effective solutions are the backbone of LuxSci – even for extremely large client organizations. And, count on the physical security of our servers.

Chart of LuxSci Services and the HIPAA Rules they Satisfy

If you are interested in specific services at LuxSci and would like to know exactly which of the HIPAA rules each service meets, the following charts will assist you. Please contact LuxSci for more information.

HIPAA Rule 1. View Email: Secure WebMail, POP, IMAP, or Mobile Sync 2. Send Email: Secure WebMail, SMTP, or Mobile Sync 3. Encryption with SecureLine combined with 1 and 2 4. Secure Collaboration (WebAides)
Access Control – Unique User Identification
Access Control – Emergency Access (a) (a)
Access Control – Automatic Logoff
Audit Controls
Integrity (b) (b)
Person or Entity Authentication (b) (b)
Transmission Security > Integrity Controls (c) (c)
Transmission Security > Encryption (c) (c)
Device and Media Controls > Data Backups
Device and Media Controls > Data Disposal

(a) Our secure document storage service and use of SecureLine for communications may assume that the recipients have special passwords for their “Secure data access certificates” (PGP or S/MIME). These passwords are may be stored in a “Password Escrow” (a special secure password database) if the users so choose. In these cases, passwords to security keys can be retrieved in case of emergency or in case of loss.

(b) Our secure document storage service and use of SecureLine for communications encrypts data so that only the intended recipient(s) can ever view the data. The encryption process also allows the recipient(s) to verify that the data was not altered since it was sent or stored using digital signatures.

(c) SSL/TLS solutions encrypt the message during transport to and from LuxSci’s servers and your personal computer. Email sent from LuxSci to external addresses is secured with the use of SecureLine.

LuxSci provides complete transport layer and end-to-end email security compatible with any email user anywhere, no matter what software they may have.

Tags: access control, addressable, audit controls, authentication, covered entities, email security, email security rule, encryption, ePHI, Health Insurance Portability and Accountability Act, heathhealthcare, hipaa, hitech, integrity, omnibus, phi, privacy, protected health information
Posted in AAA Featured Articles, LuxSci Library: HIPAA
9 Comments »

How Can I Prove an Email was Sent to Me?

Tuesday, January 16th, 2024

Almost everyone has been in this situation: someone claims to have sent you an email message, but you look in your inbox and don’t see it. As far as you know, you never got it. How can you prove an email was sent?

searching for an email

How to Prove That an Email was Sent

So, where do you start? As the purported recipient of an email message, the easiest way to prove that a message was sent to you is to have a copy of that message. It could be:

  1. In your inbox or another email folder
  2. A copy in your permanent email archives

 Sometimes, missing emails are caused by simple user errors. The obvious place to start the search is in your inbox and email folders. It’s also a good idea to check your email filtering and archival services. It’s possible that your email filtering system accidentally flagged the message as spam or sent it to quarantine. If it’s not there, check your email archival system. That should capture a copy of all sent and received messages. 

Hopefully, that will solve the issue. If it doesn’t, it’s worth stepping back to understand where the email could have gone and where you should turn next to solve the problem.

What happened to the email?

In reality, there are only a few things that could have happened:

  1. The recipient never sent the message.
  2. The recipient did send the message, but it did not reach you.
  3. The message did make it to you, but it was accidentally or inadvertently deleted (or overlooked).

Let’s begin with what you can check and investigate. Start your search soon. The more time that elapses, the less evidence you may have, as logs and backups get deleted over time.

Did the recipient actually send the message?

First, you should know that the sender could have put tracking on the message so that they were informed if you opened or read it (even if you are unaware of the tracking). In such cases, the sender can disprove false claims of “I didn’t get it!” If you are concerned about an email being ignored, use read recipients or tracking pixels to confirm email delivery.  

If you never saw the message, do what we discussed above and start searching your email folders for it. It could have been accidentally moved to the wrong folder or sent to the Trash folder. If you have a folder that keeps copies of all inbound emails (like LuxSci’s “BACKUP” folder), check there too. Check your spam folder and spam-filtering system. Your spam-filtering system may also have logs that you can search for evidence of this message passing through it. Finally, check any custom email filters you may have set up with your email service provider or in your email programs. If you have filters that auto-delete or auto-reject some messages, see if that may have happened to the message in question.

The searches above are straightforward; you can do many of them yourself. Often, they will yield evidence of the missing message or explain why you might not have received it.

Maybe the email was sent but didn’t make it to you?

Email messages leave a trail as they travel from the sender to the recipient. This trail is visible in the “Received” email headers of the message (if you have it) and in the server logs at the sender’s email provider and your email provider. If you know some aspects of the message in question (i.e., the subject, sender, recipient, and date/time sent), you can ask your email service provider to search their logs to see if there is any evidence of such a message arriving in their systems. This will tell you if such a message reached your email provider. However, email providers can typically only search the most recent one to two weeks of logs. So, if the message in question was from a while ago, your email service provider may be unable to help you (or may charge you a lot of money to manually extract and search archived log files if they have them). 

If your email provider has no record of the message or cannot search their logs, you (or the sender) can ask the same question of the sender’s email provider. If they can provide records of such an email being sent through their system, that will prove the email was sent.

The log file analysis provided by the email providers could also explain why you didn’t get the message. Your email address might have been spelled wrong, there could have been a server glitch or issue, etc. However, if the message was sent long ago, the chance of learning anything useful from the email provider is small. Also, if you use a commodity email provider such as AOL, Yahoo, Outlook, Gmail, etc., you may find it impossible to contact a technical support person and have them perform an accurate and helpful log search. Premium providers, like LuxSci, are more likely to support your requests. 

The last thing you can do is have the sender review their sent email folders for a copy of that message. If they have it, that can indicate that they sent it and can reveal why you didn’t get it (i.e., wrong email address, content that would have triggered your filters, etc.). However, be wary. It is easy to forge a message in a sent email folder, so it should not be considered definitive proof that the message was sent. And, even so, just because the message was sent, it does not prove it ever made it to your email provider or inbox.

The recipient never actually sent the email message

If the sending event was recent, then the data from your email service provider can prove that the message did not reach you, but that doesn’t prove that it was not sent. The sender may claim that they do not have a record of sent messages and that their email provider will not do log searching, and that may also be true. At this point, you are stuck without a resolution. 

While email is a reliable delivery system, there are many ways for messages not to make it to the intended recipient. Whether it was not sent or was sent and never arrived, the result is the same- no message for you. As a result, it’s best not to send legal notices or other important documents only by email. Using read receipts and other technologies when sending important messages can help increase confidence that an email was sent and received. Still, there is no foolproof way to guarantee email delivery.

How Do I Prove the Email Sender’s Identity?

A separate but related question is, how can I be sure the sender is who they say they are? Social engineering is rising, and cybercriminals can use technology to impersonate individuals and companies. If you are questioning whether the sender actually sent the message to your inbox (or if it is from a spammer or cybercriminal), it is necessary to perform a forensic analysis of the email headers (particularly the Received lines, DKIM signatures, etc.) and possibly get the sender’s email provider involved to corroborate the evidence. To learn more about how to conduct this analysis, please read: How Spammers and Hackers Can Send Forged Email.

Tags: dkim, email, email security, fraud, lost, missing, sent, tracking
Posted in LuxSci Library: The Technical Side of Email
No comments »

Is the Email Encrypted? How to Tell if an Email is Transmitted Using TLS

Tuesday, January 9th, 2024

SMTP TLS encryption is popular because it provides adequate data protection without creating a complicated user experience for email recipients. Sometimes, though, the experience is too seamless, and recipients may wonder if the message was protected at all.

Luckily, there is a way to tell if an email was encrypted using TLS. To see if a message was sent securely, we can look at the raw headers of the email. However, it requires some knowledge and experience to understand the text. It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To analyze a message for transmission security, we will look at an example email message sent from Hotmail to LuxSci. We will explain what to look for when decoding the message headers and how to tell if the email was transmitted using TLS encryption.

encrypted email transmission

Read the rest of this post »

Tags: email encryption, email headers, email security, hotmail, secureline, smtp, ssl, tls, tls encryption, transmission
Posted in LuxSci Library: Security and Privacy, Popular Posts
3 Comments »

Preventing Email Forgery Part Three: DMARC

Tuesday, December 19th, 2023

In our previous two posts in this series, we examined how SPF and DKIM can help limit forged email messages by looking at the IP address and validating if the message was sent from an approved source based on digitally signed messages. We found that while SPF and DKIM can effectively prevent email fraud and forgery, weak implementations can make them vulnerable to attackers.

That’s where DMARC comes in. When properly implemented, DMARC provides instructions for what email filters should do with messages that fail SPF or DMARC. 

implementing DMARC in DNS

DMARC: A Simple Explanation

When using SPF and DKIM, email filters check if messages pass or fail SPF and DKIM. They use the DNS-published strictness settings to help them determine what to do next. How a particular filter is implemented determines what happens, leading to varied and inconsistent results.

So, what does DMARC do?

A DMARC policy allows a sender to indicate that both SPF and DKIM protect their emails and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes the guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report to the sender about messages that pass or fail DMARC evaluation.

In practical terms, with a DMARC policy published in DNS:

  1. The message must pass either SPF or DKIM but does not need to pass both.
  2. This resolves the deficiencies of SPF (forwarding) and DKIM (inadvertent message modification) by allowing compensation via the other mechanism.
  3. Sender policies can specify what to do with messages not passing SPF and DKIM. There are three options: do nothing, quarantine them, or reject them. There is no longer any implementation-specific ambiguity on what filters should do and when.

Setting up DMARC

The domain owner must properly set up the DNS records to use DMARC (as with all anti-fraud solutions for email). If you cannot access the domain settings, you will be unable to update your DNS settings and will not be able to use DMARC.

DMARC is set up by adding special entries to the published DNS settings for the domain. You can use a tool, such as this DMARC Record Assistant, to create the DMARC DNS record for your domain.

We will not spend time on the details of the configuration or setup here. Instead, we will look at the utility of DMARC and its limitations.

The Benefits of DMARC

Once DMARC is set up, it helps reduce fraudulent emails from a domain. Simple forged spam and basic phishing attacks are curtailed more effectively with DMARC than with SPF and DKIM alone. Using DMARC combines them into a more comprehensive check with a consistent, well-defined failure state (e.g., reject or quarantine).

DMARC shines when implemented by domain owners using weak SPF and DKIM records. It allows email servers to accept that one of these validation schemes may fail while still requiring that the other one passes for the message to be considered legitimate. This is excellent progress.

DMARC is recommended for every domain owner and email filtering system. However, you must have control over all of the sources of messages from your domain name.

An interesting side effect is that, in some aspects, DMARC can make a domain more susceptible to determined forged emails!

The Limitations of DMARC

This is counterintuitive. Combining DKIM and SPF into a unified, complementary policy set that allows each to compensate for the other’s weakness is a fantastic idea and does a great job. However, a side effect of this technique in determining fraud is that it requires only one DKIM or SPF record to pass, NOT BOTH. In fact, there is no way to use DMARC to require that both must pass.

How Can Attackers Bypass DMARC?

An attacker only needs to find a way to pass one validation check to bypass DMARC. Note that this is only worse than separate use of SPF and DKIM if your SPF and DKIM rules are both strict (if it doesn’t pass — “drop it”). In most other cases, it’s the same or better than using both technologies separately.

Looking at our previous analyses of SPF and DKIM, an attacker could generate a forged email that passes DMARC if:

  1. They can send from an IP address allowed under the forged sender domain’s SPF policy. This can be done using the same email provider as the sender.
  2. They can send you a message from one of the servers authorized by the DKIM for the domain. If that server does not care who initiated the message but will sign any messages going through it with the proper DKIM keys, then the message will look legitimate. If the attacker signs up with the same email provider used by the forged domain and that provider’s servers do not restrict DKIM key usage, they can send an email from those same servers as the legitimate account and have their messages adequately signed.
  3. The attacker can compromise any sender’s workstations, email servers, or vendor’s email servers.

So, it requires a determined attacker with some knowledge of the sender’s infrastructure and some ingenuity to get past DMARC.

In addition, there is another way they can easily get past DMARC:

  1. If the sender’s domain has DMARC, SPF, and DKIM DNS records, if the recipient’s spam filters do not pay attention to DMARC (or the others), then these settings will be all for naught, and the forged message will still appear legitimate.

A determined attacker will gain knowledge both of the anti-fraud settings of the sender’s domain and of the capabilities of the recipient’s systems. The weaker the filters, the easier the attacker’s job can be.

What Else Can We Do to Prevent Email Forgery and Fraud?

Technologies are getting better and better at preventing email fraud, but none of them are foolproof. SPF and DKIM are implemented inconsistently, and DMARC is not well-supported across email filters. DMARC records are also not published for a majority of domains. Many that publish them have “no nothing” records designed to test the waters and gain telemetry on what messages they sent would fail DMARC.

Beyond using these technologies and being vigilant, some additional techniques can be used to lock down the identities of message senders. In the last article in this series, we shall see what some of these are.

Read next: Stopping Forged Email 4: Your Last Resorts

Tags: dkim, DMARC, dns, Domain-based Message Authentication, email fraud, email security, Reporting and Conformance, spam, spf
Posted in LuxSci Library: The Technical Side of Email
No comments »

« Older Entries