" secureline Archives - LuxSci

Posts Tagged ‘secureline’

How to Tell If Someone Read Your Email: Read Receipts and Web Bugs

Tuesday, January 30th, 2024

We’ve all been in this scenario: you send an important email to your boss or a client, and then you wait, stressed out and anxious to know if they received it and their response. Typically, you can request a read receipt when sending the message to confirm the email was received. Another method, HTML web bug tracking, can also be used to see if an email message was read. However, spammers often use this method to identify active email addresses. Both methods are unreliable ways to tell if the recipient read an email.

The only way to have complete confidence that a message was read is by using a secure web portal solution like LuxSci’s SecureLine Escrow. It also allows for message retraction, which can be helpful when handling sensitive information.

This article explains how read receipts and web bugs work and how you to tell if someone read your email.

email read receipt

What Are Read Receipts?

Read receipts are requests attached to an email message by the sender. Most email programs, like Outlook, Thunderbird, and LuxSci WebMail, allow read receipts to be added to email messages and allow senders to choose if receipts are sent “never,” “on-demand,” or “always.”

Sending: Read receipts are implemented by adding a special “Header” to the headers area of the outbound email message. For example, if somebody@luxsci.net sent an email message and wanted a Read Receipt, the following “Disposition-Notification-To” header would be added:

Disposition-Notification-To: somebody@luxsci.net

Receipt: When the recipient opens the message, the recipient’s email program may see this header and send a special “Delivery Notification” email back to somebody@luxsci.net. When somebody@luxsci.net gets this notification, they know the message has been read.

Read Receipts are Not Reliable

Read receipts are not a reliable way to know if a message has been read. Why?

  • No Support: The recipient’s email program might not support responding to read receipt requests. In this case, receipts would never be sent.
  • Refusal: Even if the email program supports read receipts, the programs generally allow recipients to choose whether to respond. Recipients could choose to respond “never,” “always,” or “decide each time.” The default usually prompts the recipient and allows them to decide yes or no for each receipt.

So, if you use a read receipt to confirm delivery, you will only get a receipt if the recipient wants you to. Sending read receipt requests is unreliable for confirming the read status of a message in general, especially if the recipient denies that the message was even received!

What are Web Bugs?

So, we’ve established that read receipts aren’t 100% reliable because users can choose not to respond to them. Web bugs try to get around this problem by not letting the recipient know you are checking to see if they read the message. To explain how web bugs work, first, we must take a step back to explain how images are transmitted within email.

When an HTML-formatted email message is opened, any referenced external objects, such as images, are downloaded from the internet and displayed. For example, if someone sends you an email message with a link to display a picture that is not attached to the message but hosted elsewhere, your email program will download that image and display it.

Web bugs are contained within image files. To send a web bug, the sender includes some unique tracking code in the link to a picture in the email. When the email is received, the picture is downloaded, and the web server where it was stored records that download, complete with the date, time, tracking code, and the computer’s IP address. By looking at those web server log files, the sender can confirm if you have downloaded the image and, thus, if you have read the message.

Typically, the tracking code is attached to some small, innocuous image. These small tracking images are collectively known as web bugs because they are invisible to the recipient and are meant to secretly transmit data back to the sender, like a phone bug in a spy movie.

Why Web Bugs Are Not Reliable

Unfortunately, spammers often use web bugs to detect active email addresses. As a result, many email providers have taken steps to reduce their impact. That means that web bugs are also not a reliable way to know if a message has been read. Why?

  • No HTML: No images or other objects will be downloaded if the recipient opens the message in an email program with HTML support turned off. For example, LuxSci WebMail shows recipients a plain text preview of their messages. There is no way to track opening the plain text preview of a message using a web bug.
  • Images Off: If the recipient has turned the display of external images off in their email program, the web bugs will never be downloaded. This is an optional feature in some programs like Thunderbird and LuxSci WebMail.
  • Web Bug Extraction: Some email filters will auto-detect images that look like web bugs (i.e., images that look like tracking codes) and automatically remove them by replacing them with transparent images. The web bugs would not be downloaded in this case, but other images would appear as expected. LuxSci’s Premium Email Filtering can do this.

Spammers don’t care that this is not 100% reliable. It is “good enough” to identify many valid recipients and thus allows them to narrow down their lists and send these people more spam.

How to Tell if Someone Read Your Email

So, as we’ve learned, read receipts and web bugs do not always work and cannot be relied on to indicate if a message was read. What options do we have left?

The only way to tell if your email message was read is if you can control the recipient’s ability to access the message. A common way to do this is to:

  • Save the message on a website over which you have control.
  • Send the recipient a notice that a message is waiting for them on that website and provide them with the means to access it.
  • Record when the recipient successfully connects and uses their access credentials to open the message.

By controlling the message location, you can know if and when the message was retrieved. You also know how many times it was accessed and from what IP address(es), and you could remove access to it (i.e., retract it) at any time.

Other email systems may also provide reliable ways of read access tracking. In every case, it depends on if:

  • The system is configured to support it, and
  • Having complete control over the system that the recipient uses to access the message.

If you cannot control your recipient’s email system, consider using a secure web portal system with tracking included, such as LuxSci’s SecureLine Escrow.

Is the Email Encrypted? How to Tell if an Email is Transmitted Using TLS

Tuesday, January 9th, 2024

SMTP TLS encryption is popular because it provides adequate data protection without creating a complicated user experience for email recipients. Sometimes, though, the experience is too seamless, and recipients may wonder if the message was protected at all.

Luckily, there is a way to tell if an email was encrypted using TLS. To see if a message was sent securely, we can look at the raw headers of the email. However, it requires some knowledge and experience to understand the text. It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To analyze a message for transmission security, we will look at an example email message sent from Hotmail to LuxSci. We will explain what to look for when decoding the message headers and how to tell if the email was transmitted using TLS encryption.

encrypted email transmission

Read the rest of this post »

Are Replies to Encrypted Emails also Secure?

Tuesday, December 26th, 2023

Sending HIPAA-compliant emails is easy when you use an encryption solution like LuxSci. But what happens when someone replies to an encrypted message? Are the replies also secure? This is primarily a concern when using SMTP TLS as a secure means of email delivery. 

This article will explain how messages are sent securely, how replies behave, and whether they are secure and compliant. At the end, we provide some recommendations for how to balance security and usability. 

Read the rest of this post »

How to Overcome Email Encryption Challenges

Thursday, July 13th, 2023

If your business transmits sensitive information via email, encryption is often required to meet compliance standards. However, if encryption is difficult to use, employees and recipients alike may avoid secure channels and communicate sensitive information insecurely. Email encryption technology must be intuitive for employees to use and easy for recipients to decrypt to encourage adoption. In this article, we explore some of the main issues with email encryption and how to address them to improve the user experience.

man looking at computer frustrated by email encryption

Decrypting Messages is Too Difficult

If it’s challenging for recipients to decrypt messages, they go unread or deleted. Most users will not install new software or create new accounts to read an email message. They will delete the message and move on with their day. Encryption technologies like PGP and S/MIME are highly secure, but with that security comes a lack of usability. It’s essential to evaluate the message contents and select a level of encryption corresponding to the message sensitivity.

The User Experience is Poor

If reading encrypted messages requires the user to visit other websites, log in to other accounts, and verify their identity multiple times, it creates a poor user experience that drives individuals outside of secure channels to communicate. This defeats the purpose of using encrypted email and leaves people unsatisfied.

Email Encryption Technology isn’t Error-Proof

How many times have you forgotten to include an attachment when sending an important email? For users who need to send encrypted emails, remembering to type a keyword or press a button to enable encryption introduces risk, interrupts business processes, and generally limits productivity.

How to Improve the Email Encryption Experience

To address some of these issues, let’s look at a few ways that you can improve the email encryption experience for both senders and recipients.

Use TLS Encryption

Instead of using a secure web portal or exchanging S/MIME and PGP keys, use TLS as often as possible to encrypt emails. TLS is sometimes called “invisible encryption” because it provides a barely noticeable encryption experience for recipients. Emails sent with TLS encryption appear just like regular emails in the recipient’s inbox and do not require any additional steps to decrypt. TLS encryption is sufficient for most compliance requirements, including HIPAA, which makes it an excellent choice for many email communications.

Make Encryption Decisions Automatic

TLS is supported by over 80% of email clients, which means it’s appropriate in most situations. But what happens when TLS cannot be supported? For many encryption providers, that means they send the email without any encryption at all. For customers with compliance requirements, this is not an option. By choosing an email encryption provider like LuxSci, you can configure your encryption settings to automatically select a form of encryption that is compatible with the recipient’s email client. For example, if the recipient does not support TLS encryption, the email would be sent to a secure web portal to protect it. Users don’t have to run tests or make the right choice; LuxSci’s tool automatically chooses the right encryption option based on your configuration and the recipient’s settings.

Take Technology Choices out of Employee Hands

Make encryption opt-out instead of opt-in. By encrypting all emails automatically with TLS, employees do not need to decide if an email needs to be secured. As discussed above, TLS provides a user experience just like regular email, so it does not make it more challenging for the recipient to engage with messages. Encrypting all emails as a matter of policy reduces risk and does not slow down workflows.

Administrators can allow users to opt out of encryption if they choose to. This added step requires employees to think carefully about the message contents and ensure they are not sensitive before sending.

Conclusion

Email encryption does not have to be difficult to use. It’s possible to securely exchange information via email without negatively impacting the user experience. To learn more about how LuxSci’s SecureLine email encryption can help you protect sensitive data at scale, contact us today.

HIPAA-Compliant Email Hosting or Outbound Email Encryption?

Tuesday, January 25th, 2022

There are many ways to protect ePHI in email. HIPAA is technology-neutral and doesn’t make specific recommendations for how to protect email communications. This article explains the difference between a HIPAA-compliant email host and an email encryption gateway. These are just two of the options for securing email accounts.

email encryption

Read the rest of this post »