" smtp Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘smtp’

How Can You Tell if an Email Was Transmitted Using TLS Encryption?

Tuesday, October 29th, 2019

Frequently, we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the internet.  For example, banks, health care organizations under HIPAA, and other security-aware institutions have a requirement that email be secured at least by TLS encryption from sender to recipient.

Email should always be transmitted with this basic level of email encryption ensure that the email message content cannot be eavesdropped upon.  This check, to see if a message was sent securely, is fairly easy to do by looking the the raw headers of the email message in question.  However, it requires some knowledge and experience.  It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To see how to analyze a message for its transmission security, we will look at an example email message sent from Hotmail to LuxSci, and see that Hotmail did not use TLS when sending this message.  Hotmail is not a good provider to use when security or privacy are required.

Read the rest of this post »

Stronger Email Security with SMTP MTA STS: Strict Transport Security

Wednesday, July 25th, 2018

Email transmission between servers has historically been extremely insecure.   A new draft internet standard called “SMTP Strict Transport Security” or “SMTP MTA STS” is aiming to help all email providers upgrade to a much more secure system for server-to-server mail transmission.    This article lays out where we are currently in terms of email transmission security and how SMTP MTA STS will help.

Email servers (a.k.a. Mail Transmission Agents or “MTAs”) talk to each other using the Simple Mail Transmission Protocol (SMTP). This protocol, developed in 1982, originally lacked any hint of security. As a result, a lot of the email shooting around the internet is still transmitted in plain text.  Its easily eavesdropped on, easily modified, untrusted and not private.

SMTP MTA STS

Back in 2002, an extension to SMTP called “STARTTLS” was standardized.  This extension permitted servers to “upgrade” SMTP communications from plain text to an encrypted TLS-secured channel, when both servers supported compatible levels of TLS.  This process is known as SMTP TLS. In principle, this security addition was really great.  The “TLS” used is the same encryption method used by your web browsers to talk to secure web sites (e.g., banks, Amazon, your email provider, etc.).  Your web browsers do relatively good job making sure that connections to these secure sites are safe.  I.e., they seek to ensure that there is encryption, that the encryption is sufficiently strong, and that there is no one actively eavesdropping on your connections.

Read the rest of this post »

Warming Up Your IP Addresses Automatically

Thursday, June 21st, 2018

When sending email messages, there are many best practices for ensuring optimal deliverability.   I.e., for getting your messages into your recipients’ Inboxes and for staying off black lists.  One very important factor in deliverability is “IP reputation.

Good reputation: If your server is known to send lots of good quality email (email that people do not consider spam-like), then your server’s address (its “IP Address”) is looked on favorably by ISPs (such as Yahoo!, Google, Microsoft, etc.) and you can send large quantities of good email and have it all delivered.  Your server has a good reputation and your server’s IP address is “warm” (think warmed up and humming a long).

Warming up an IP address

Bad reputation: If your server is a known source of junk or malicious email (according to the recipients of the email — it doesn’t matter what you think about the email quality), then you will have a hard time getting your email delivered and many ISPs will throttle your email, accepting only a few messages a time.  Your server has a poor reputation and work will need to be done to repair it.

No reputation: If you just got a new server, it may not have been sending any email for a while.  Or, if you have a server but it has been idle for a long time (e.g, months).  In either case, your server’s address may have “no reputation.”  ISPs are very skeptical about email from servers with no reputation or recent history of good email sending.  A typical sign of a spammer is when a server with little or no reputation suddenly starts sending large quantities of email.  ISPs will detect this and they tend to quickly throttle or block such servers…. moving them from “no reputation” towards “bad reputation”.

Read the rest of this post »

High Volume Transactional Email: Balancing Utility and Marketing

Friday, May 18th, 2018

Your eCommerce customer, Paul, has ordered a special mattress for his bed. He’s put the item into the cart, and paid for it. Now you send a confirmation of purchase email.  But, instead of just a note stating that “we’ve received your payment, and your item has been posted for shipment…” or whatever boilerplate many companies send, you include that message and add photos of three sheets-and-pillowcases products that fit the mattress you just sold him. Paul has his own sheets, but has been thinking about replacing them – now your confirmation email makes him decide to buy them.

All eCommerce companies have to send transactional email, a type of email sent to facilitate an agreed-upon transaction between the sender and the recipient. Common transactional email use cases include doctor appointment reminders, account creation emails, password resets, purchase receipts, account notifications, medical lab results, and social media updates like friend and follower notifications.

What makes transactional email different from ordinary marketing email is that they are sent as part of doing actual business with people – not just chatting with, marketing to, or selling to a customer. In this respect, they are also different from so-called “triggered” emails which may be generated by a number of customer actions – not just transactions.

Transactional email are effective for marketing

Transactional emails are opened eight times more than traditional marketing messages, according to a study by EPSILON.  So it only makes sense to adapt your transactional email for marketing, to take advantage of this unparalleled opportunity to reach your customer with a personalized offer.

Read the rest of this post »

TLS Exclusive: HIPAA-compliant email marketing just got a whole lot better

Thursday, May 10th, 2018

If you are a healthcare organization and have to abide by HIPAA regulations, you may be struggling with HIPAA-compliant email marketing.  Besides getting patient consent, there is the whole concern that the marketing email messages need to be secured, as in many cases the marketing messages plus the addresses or list being used imply something about the recipients … something ePHI-related.

SMTP TLS Exclusive

It is a best practice to use a HIPAA-compliant email marketing service to send healthcare-related email marketing messages, newsletters, appointment reminder emails, etc.  Such a service signs the required HIPAA Business Associate Agreement with you, takes care of your data, and ensures that your email messages go securely to your recipients.

Read the rest of this post »

LUXSCI