Frequently, we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the Internet. For example, banks, health care organizations under HIPAA, and other security-aware institutions have a requirement that email be secured at least by TLS encryption from sender to recipient.
This can and should be locked down to ensure that the email message content cannot be eavesdropped upon. This check, to see if a message was sent securely, is fairly easy to do by looking the the raw headers of the email message in question. However, it requires some knowledge and experience. It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.
To see how to analyze a message for its transmission security, we will look at an example email message sent from Hotmail to LuxSci, and see that Hotmail did not use TLS when sending this message. Hotmail is not a good provider to use when security or privacy is required. Even Gmail does not provide a level of security and privacy required for HIPAA compliance.
Read the rest of this post »