Certain Domains Must Use TLS (AssureTLS)

Internet email is designed first to "get the mail through" and second to get it through securely. Today, in many organizations, this design is against policy; and in many industries it is against the law.

Modern email systems let you "fix" this by listing domains in a "Require TLS" setting. Two trading partners will configure their email systems to require TLS when talking to each other. This forces all email between the two domains to use encryption.

Note this is an all or none solution. Once setup, all email between the two domains goes securely. If security fails for any reason, all email between the two stops working. See ForceTLS for a better solution.

This adds complexity and a manual process (maintaining the domain lists), so has more potential for failure. Making sure TLS Required email is working is very important, so CheckTLS.com provides two "Assure TLS" tests.

Test Receiver Assure TLS Run It

Makes sure that the receiver will ONLY accept an email if it is sent securely. It makes sure the receiver will NOT accept an unprotected email.

While email security is mostly the responsibility of the sender, in a high security and/or privacy situation the receiver too has a responsibility to make sure the sender meets security requirements. RFC 3207, the Internet standard for TLS email, states "A publicly-referenced SMTP server MUST NOT require use of [TLS] in order to deliver mail locally." This implies that security conscious organizations have a normal email receiver for normal email (e.g. sales@bigco.com) and a "TLS only" receiver for secure email (e.g. patient-records@secure.bigco.com).

TestReceiverAssureTLS does the same testing as TestReceiver, but it does not accept the receiver's invitation to use TLS. Instead, it tries to trick the receiver into accepting the email insecurely. TestReceiverAssureTLS is looking for the email transfer to fail, meaning the receiver will not receive email without protection. If the receiver accepts the email, the test fails; if the receiver rejects the email, the test succeeds.

Note: this test is only useful for sites that have setup "Require TLS" to receive email from one or more domains. You should add "AssureTLS.CheckTLS.com" in your list of "Require TLS" domains before running the test.

Test Sender Assure TLS Run It

Makes sure that the sender will ONLY send an email if can be sent securely. It makes sure the sender will NOT send an unprotected email. RFC 3207, the Internet standard for TLS email, says the sender "must decide whether or not" to send email if the receiver will not do TLS. In high security and/or privacy situations there is no decision: the sender can never send insecure email.

TestSenderAssureTLS does the same testing as TestSender, but it does not offer, nor does it accept, TLS. Instead, it tries to trick the sender into sending the email insecurely. TestSenderAssureTLS is looking for the email transfer to fail, meaning the sender will not send email without protection. If the sender does send the email, the test fails; if the sender refuses to send the email, the test succeeds.

Using TestSenderAssureTLS is similar to TestSender, except the address you send to is test@TestSenderAssureTLS.CheckTLS.com. A successful test takes about 30 minutes because the email has to be processed twice. The first time, the test tries to trick the sender into sending the mail insecurely. A correctly configured sender will eventually give up without sending the mail, but will then re-try the same email about 30 minutes later. On the second try, TestSenderAssureTLS will accept the email using TLS so that it can reply and report back that the first test worked.

Note: this test is only useful for sites that have setup "Require TLS" to send mail to one or more domains. You should add "AssureTLS.CheckTLS.com" to your list of "Require TLS" domains before running the test. You should also add CheckTLS.com domain to your regular list of allowed domains so the returned report is not inadvertently marked as spam. See Basic Sender Test for how to use this test and the test code provided.