SMTP TLS encryption is popular because it provides adequate data protection without creating a complicated user experience for email recipients. Sometimes, though, the experience is too seamless, and recipients may wonder if the message was protected at all.
Luckily, there is a way to tell if an email was encrypted using TLS. To see if a message was sent securely, we can look at the raw headers of the email. However, it requires some knowledge and experience to understand the text. It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.
To analyze a message for transmission security, we will look at an example email message sent from Hotmail to LuxSci. We will explain what to look for when decoding the message headers and how to tell if the email was transmitted using TLS encryption.
An Example Email Message
First, we must understand how an email message typically travels through several machines on its way from the sender to the recipient. Roughly speaking:
- The sender’s computer talks to the sender’s email or WebMail server to upload the message.
- The sender’s email or WebMail server then talks to the recipient’s inbound email server and transmits the message to them.
- Finally, the recipient downloads the message from their email server.
It is step 2 that people are most concerned about when trying to understand if their email message is transmitted securely. They usually assume or check that everything is secure and OK at the two ends. Indeed, most users who need to can take steps to ensure that they are using SSL-enabled WebMail or POP/IMAP/SMTP/Exchange services so that steps 1 and 3 are secure. The intermediate step, where the email is transmitted between two different providers, is where messages may be sent insecurely.
To determine if the message was transmitted securely between the sender’s and recipient’s servers (over TLS), we need to extract the “Received” header lines from the received email message. If you look at the source of the email message, the lines at the top start with “Received.” Let’s look at an example message from a Hotmail user below. The email addresses, IPs, and other information are obviously fake.
LuxSci:
The Outlook email was sent to a LuxSci user. The Received headers appear in reverse chronological order, starting with the server that touched the message last. Therefore, in this example, we see the LuxSci servers first.
Received: from abc.luxsci.com ([1.1.1.1])
by def.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfLgH003867
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <user-xyz@def.luxsci.com>; Mon, 19 Aug 2019 10:41:21 -0400
Received: from abc.luxsci.com (localhost.localdomain [127.0.0.1])
by abc.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfK0Z030182
for <user-xyz@def.luxsci.com>; Mon, 19 Aug 2019 09:41:20 -0500
Received: (from mail@localhost)
by abc.luxsci.com (8.14.4/8.13.8/Submit) id r7JEfKXD030178
for user-xyz@def.luxsci.com; Mon, 19 Aug 2019 09:41:20 -0500
Received: from dispatch1-us1.ppe-hosted.com (dispatch1-us1.ppe-hosted.com [2.2.2.2])
by abc.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfIkK030002
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <someone@luxsci.net>; Mon, 19 Aug 2019 09:41:19 -0500
Proofpoint:
LuxSci uses an email filtering service, Proofpoint. Messages reach Proofpoint’s servers before being delivered to LuxSci. Here’s what their servers report about the email transmission:
Received: from unknown [65.54.190.216] (EHLO bay0-omc4-s14.bay0.hotmail.com)
by dispatch1-us1.ppe-hosted.com.ppe-hosted.com
(envelope-from <someone@hotmail.com>);
Mon, 19 Aug 2019 08:41:18 -0600 (MDT)
Outlook:
And finally, here’s what we see from Oultook’s server.
Received: from BAY403-EAS373 ([65.54.190.199]) by bay0-omc4-s14.bay0.outlook.com
with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 19 Aug 2019 07:41:19 -0700
How to Use Received Message Headers to Tell if the Email is Encrypted
The message headers contain information that can help us determine if an email is encrypted. Here are a few helpful notes to help you decode the text:
- We said this above, but the message headers appear in reverse chronological order. The first one listed shows the last server that touched the message; the last one is the first server that touched it (typically the sending server).
- Each Received line documents what a server did and when.
- There are three sets of servers involved in this example: one machine at Hotmail, one machine at Proofpoint, where our Premium Email Filtering takes place, and some machines at LuxSci, where final acceptance of the message and subsequent delivery happened.
Presumably, the processing of email within each provider is secure. The place to be concerned about is the hand-offs between Hotmail and Proofpoint and between Proofpoint and LuxSci, as these are the big hops across the internet between providers.
In the line where LuxSci accepts the message from Proofpoint, we see:
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
This section, typical of most email servers running “sendmail” with TLS support, indicates that the message was encrypted during transport with TLS using 256-bit AES encryption. (“Verify=not” means that LuxSci did not ask Proofpoint for a second SSL client certificate to verify itself, as that is not usually needed or required for SMTP TLS to work correctly). Also, “TLSv1/SSLv3” is a tag that means that “Some version of SSL or TLS was used;” it does not mean that it was SSL v3 or TLS v1.0. It could have been TLS v1.2 or TLS v1.3.
So, the hop between Proofpoint and LuxSci was locked down and secure. What about the hop between Hotmail and Proofpoint? The Proofpoint server’s Received line makes no note of security at all! This means that the email message was probably not encrypted during this step.
Hotmail either did not support opportunistic TLS encryption for outbound emails, or Proofpoint did not support receipt of messages over TLS, and thus, TLS could not be used. With additional context, you can know which server supports TLS and which does not.
In this case, we know that Proofpoint supports inbound TLS encryption. In fact, from another example message where LuxSci sent a message to Proofpoint, we see the Received line:
Received: from unknown [44.44.44.44] (EHLO wgh.luxsci.com)
by dispatch1-us1.ppe-hosted.com.ppe-hosted.com
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
with ESMTP id b-022.p01c11m003.ppe-hosted.com
(envelope-from <from@domain.com>);
Mon, 02 Feb 2009 19:28:27 -0700 (MST)
The red text makes it clear that the message was indeed encrypted. Based on the additional context, we can deduce that the Hotmail sending server did not securely transmit the email using TLS.
How To Tell if an Email is Encrypted With TLS
- When analyzing your message headers, consider the following items to determine if the email is encrypted:
- The receiving server will log what kind of encryption, if any, was used in receiving the message in the headers.
- Different email servers use different formats and syntax to display the encryption used. Look for keywords like “SSL,” “TLS,” and “Encryption,” which will signify this information.
- Not all servers will record the use of encryption. While LuxSci has always logged encryption use, not every email service provider does. It is possible to use TLS encryption and not log it. Sometimes, there is no way to tell from the headers if a message is encrypted if it is not logged.
- Messages passed between servers at the same provider do not necessarily need TLS encryption to be secure. For example, LuxSci has back-channel private network connections between many servers so that information can be securely passed between them without SMTP TLS. So, the lack of TLS usage between two servers does not mean the transmission between them was “insecure.” You may also see multiple received lines listing the same server: the server passes the message between different processes within itself. This communication also does not need to be TLS encrypted.
- If you are a LuxSci customer, you can view online email delivery reports to see if TLS was used for any particular message. We record the kind of encryption in the delivery reports, so it’s easy to see which emails were encrypted.
How can you Ensure Emails Are Securely Transmitted?
With some servers not recording TLS in message headers, how can you determine if a message was transmitted securely from sender to recipient?
To answer this question accurately, you must understand the properties, servers, and networks involved. It may be easy to determine that the message was transmitted securely if included in the header information. However, the absence of information does not necessarily mean the message was insecurely transmitted. You can only know this if you know what each system’s servers record.
In our example of a message from Hotmail to LuxSci, you need to know that:
- Proofpoint and LuxSci will always log the use of TLS in the headers. We can infer that the Hotmail to Proofpoint transmission was not secure as nothing was recorded there.
- The transmission of messages within LuxSci’s infrastructure is secure due to private back channel transmissions. So, even though there is no mention of TLS in every Received line after LuxSci accepts the message from Proofpoint (in this example), transferring the messages between servers in LuxSci is as secure as using TLS. Also, the same server can add multiple received lines as it talks to itself. Generally, these hand-offs on the same server will not use TLS, as there is no need. In the LuxSci example, we see this as “abc.luxsci.com” adds several headers.
- We don’t know anything about Hotmail’s email servers, so we don’t know how secure the initial transmissions within their network are. However, since we know they did not securely transmit the message to Proofpoint, we are not confident that the transmissions and processing within Hotmail (which may have gone unrecorded) were secure.
Was the email message sent and received using encryption?
We skipped steps 1 and 3 and focused on step 2 – the transmission between servers. Steps 1 and 3 are equally, if not more, necessary. Why? Because eavesdropping on the internet between ISPs is less of a problem than eavesdropping near the sender and recipient (i.e., in their workplace or local wireless hotspot). So, it’s essential to ensure messages are sent securely and received securely. This means:
- Sending: Use SMTP over SSL or TLS when sending messages from an email client or use WebMail over a secure connection (HTTPS).
- Receiving: Ensure your POP or IMAP connection is secured via SSL or TLS. If using WebMail to read your email, be sure it is over a secure connection (HTTPS).
- WebMail: There is generally no record in the email headers to indicate if a message sent using WebMail was transmitted from the end-user to WebMail over a secure connection (SSL/HTTPS).
You can typically control one side and ensure it is secure; you can’t control the other without taking extra steps. So, what can you do to ensure your message is secure even if it might not be transmitted with encryption or if the recipient tries to access it insecurely?
You could use end-to-end email encryption (like PGP or S/MIME, which are included in SecureLine) or a secure web portal that doesn’t require the recipient to install or set up anything to get your secure email message. These methods meet HIPAA and other regulatory compliance requirements for secure data transmission and provide complete confidence that the message will be sent and received securely.
LuxSci’s SecureLine offers flexible encryption options, including TLS, secure web portal, PGP, and S/MIME. Its dynamic capabilities can determine what types of encryption the recipient’s server supports to ensure your emails are always sent securely. Contact our team today to learn more about how to secure your emails.
