Notice Changes in Emails

These are step by step instructions to quickly and easily notice a security change in sites you email.

It is very important that you check for TLS on every email addresses that you send to.

The rule that "confidential information must be protected" makes you, the sender, responsible for the security of every email you send. And your emailer will send in "plain text" if a recipient doesn't do TLS. Don't believe us? Prove it here: //email/testMandatoryFrom:.

Our interactive //email/testTo: shows TLS Version and lots of other settings for an email address. With theses instructions you can report one or more of these settings for hundreds or thousands of email addresses.

It takes a Corporate Subscription to CheckTLS ($25 to try for 30 days) and a few minutes of your time. It is easy, and we offer free, unlimited support so we are sure you will be satisfied.

Overview

These steps will:

• test all your addresses
• select the good ones and save their security level
• monitor them for changes
• handle the other (not good) addresses

For your convenience, each step in this how-to is on a colored line below with a checkbox at the front, like this:

• Subscribe to CheckTLS

Test All Your Addresses

All email addresses to the same Domain (the part after the "@" in an email address) have the same security so you only need to list each Domain once. CheckTLS calls a list of email addresses a "Batch" and each unique Domain a "Target".

Batches are controlled by a Batch Input XML file, which can be complicated. Here we use an Excel workbook to make the input much easier. We encourage you to use our example workbook as is for your first time through, then make changes and run it as often as you want.

• Gather a list of email addresses ("Targets") that you use.
• Download this Excel workbook.
• Enter your Targets on the Targets tab of the workbook.

Common sources for your own Targets are your address book, a send log on an email server, an export from your CRM system, etc. Our example uses:

CheckTLS.com

RefuseTLS.CheckTLS.com

Invalid.CheckTLS.com

TLSv1.CheckTLS.com

• Fill in the Settings tab of the workbook:

BatchID	use "new" to create a batch, then put the batch number here when you want to update it
Description	description to remind you what the batch is
RunNow	use "Y" to run the batch right away, "N" to just save it for later
BatchTest-Attribute	leave this as "TestType="receiver""
Delivery-To	put your email address here (where you want the results sent)
Delivery-Format	leave this as "csv"
Delivery-OnlyNode	list the "Node" names you want to extract (see below)
Target-Attribute	leave this as "MXPrefLimit="50%""

Use the interactive //email/testTo: ("TestReceiver") to see what "Node" names are available. Use one of the XML Output Formats to note the exact XML "Node" name of each setting you want to extract.

Our example extracts the Target, score, and TLS Version (Nodes "eMailAddress", "ConfidenceQFactor", and "SSLVersion" respectively).

Here are the Settings from the example Excel workbook:

BatchID	new
Description	BaseLine First Testing
RunNow	Y
BatchTest-Attribute	TestType="receiver"
Delivery-To	you@yourdomain.com
Delivery-Format	csv
Delivery-OnlyNode	eMailAddress
Delivery-OnlyNode	ConfidenceFactor
Delivery-OnlyNode	SSLVersion
Target-Attribute	SMTPTimeOut="30"

• Save the workbook where you can find it later.
• Send the workbook to CheckTLS.

Browse to //email/excelBatch. Use the Excel File: choice to navagate to your saved Excel workbook. You can turn on Show XML if you want to see the underlying XML that your workbook creates. It is not necessary and can be confusing.

When you click the Update/Run button, your workbook is uploaded to our servers. It is checked for errors, and if all the Settings are good it creates (or updates) the Batch and optionally runs it:

Your results will be emailed to you in a few minutes. The entire Batch should take about 4 seconds per Target.

You can use the Show Queue and/or Show Last Result buttons in //email/testBatch to monitor your Batch and see your results.

When the Batch finishes your results will look like:

"eMailAddress","ConfidenceFactor","SSLVersion" "CheckTLS.com","121","TLSv1_3" "RefuseTLS.CheckTLS.com","0", "NoDNS.CheckTLS.com","50", "TLSv1.CheckTLS.com","71","TLSv1"

Select Your Good Addresses and Save Their Security Level

With CheckTLS, you decide what "Good", or "secure enough" means. See There is no Yes or No for more information. We suggest a ConfidenceFactor of 90 or above is "secure enough".

These next steps work with the "Good" addresses that meet your security requirements. Later steps describe what to do with "Bad" addresses.

• Open the Results CSV File in Excel (from email in above test).
• Sort the Results by ConfidenceFactor (Data, Sort, My data has headers, sort by ConfidenceFactor).
• Download this Excel workbook.
• Copy/Paste the "Good" Targets from the Results CSV to the Targets tab of this new workbook.

Our example only has one good Target:

CheckTLS.com

• Fill in the Settings tab of the new workbook:

BatchID	use "new" to create a batch, then put the batch number here when you want to update it
Description	description to remind you what the batch is
RunNow	use "Y" to run the batch right away, "N" to just save it for later
BatchTest-Attribute	this must be "TestType="setbaseline""
Delivery-To	put your email address here (where you want the results sent)
Delivery-Format	leave this as "csv"
	leave row 7 alone for now (column A is blank)

Here are the Settings from the example Excel workbook:

BatchID	new
Description	BaseLine Good Testing
RunNow	Y
BatchTest-Attribute	TestType="setbaseline"
Delivery-To	you@yourdomain.com
Delivery-Format	csv
	Function="count" Test="le" Value="1"	Delivery-Suppress-Attribute

• Save the workbook where you can find it later.
• Send the workbook to CheckTLS.

Browse to //email/excelBatch. Use the Excel File: choice to navagate to your saved Excel workbook. You can turn on Show XML if you want to see the underlying XML that your workbook creates. It is not necessary and can be confusing.

When you click the Update/Run button, your workbook is uploaded to our servers. It is checked for errors, and if all the Settings are good it creates (or updates) the Batch and optionally runs it:

Your results will be emailed to you in a few minutes. The entire Batch should take about 4 seconds per Target.

You can use the Show Queue and/or Show Last Result buttons in //email/testBatch to monitor your Batch and see your results.

When the Batch finishes your results will look like:

"Target","SetScore" "CheckTLS.com","121"

As the result says, running this batch has "set the baseline" score for each of your Good Targets.

Monitor Your Good Addresses for Changes

All the steps above were to get to this point. Here we instruct CheckTLS to notify you when one of your Good Targets fails.

Note you could use BatchEdit to make the below changes directly on CheckTLS, rather than using the Excel workbook.

• Open the saved workbook with your Good Targets.
• Change the Settings tab from saving the BaseLine to checking the BaseLine:

BatchID	you MUST uses the same BatchID as the setbaseline batch
Description	description to remind you what the batch is
RunNow	use "Y" to run the batch right away, "N" to just save it for later
BatchTest-Attribute	this must be "TestType="baseline"" (not "setbaseline")
Delivery-To	put your email address here (where you want the results sent)
Delivery-Format	leave this as "csv"

Cut cell C7 and Paste it into A7. Row 7 now tells CheckTLS: do not send the results if all the Targets still match their stored BaseLine.

Here are the Settings from the example Excel workbook:

BatchID	new
Description	BaseLine Good Testing
RunNow	Y
BatchTest-Attribute	TestType="baseline"
Delivery-To	you@yourdomain.com
Delivery-Format	csv
Delivery-Suppress-Attribute	Function="count" Test="le" Value="1"

• Save your changes to the workbook.
• Send the workbook to CheckTLS.

Browse to //email/excelBatch. Use the Excel File: choice to navagate to your saved Excel workbook. When you click the Update/Run button, your workbook is uploaded to our servers and run.

Notice that this says that Batch #2 was "updated", not created. This is important, as a baseline batch has to be the same BatchID as the setbaseline batch.

When the Batch finishes you should get nothing. A nothing result means the Targets you listed are still secure.

If a Target breaks, i.e. their security level changes, you will get this email:

"Target","BaseLineScore","CurrentScore","Match" "CheckTLS.com","121","75","0"

As that result says, Target "CheckTLS.com" use to score 121 but now only scores 75, which does not Match.

See About BaseLine Testing for more information about the capabilities, features, and settings of BaseLine Testing, like why column A was blank the first time and how it instructs CheckTLS to only sends results if something changed.

The About BaseLine Testing documentation also describes how to set a range of "scores" that are acceptable "matches" for a Target's BaseLine. Some Target scores can vary a few points depending on which MX hosts they have in production on any given day.

• Schedule the BaseLine testing to run regularly.

Use BatchEdit to schedule this BaseLine comparison test to run weekly or even daily. Have the Result sent to your network operations center (NOC) or the head of your security practice, as any email sent by this test means you are now sending plain text emails to the listed Target(s). Clearly not desirable and maybe illegal.

Handle the Not Good Addresses

We suggest dividing your Targets into three groups:

Good

Targets that are secure and that you can use.

Bad

Targets that are NOT secure and that you should not use.

Untestable

Targets that cannot be tested.

Use three workbooks to tell CheckTLS to treat the three different groups of Targets differently. They will have three different "tell me if something changed" criteria:

Good

If an address that you rely on breaks (test frequently)

Bad

If you can start relying on what was a Bad address (test less frequently)

Untestable

If an address you could not test becomes Good or Bad (test infrequently)

The above steps created the Good workbook. To create a "Bad" workbook:

• Open the Results CSV from the All Targets batch (the first one above).
• Download this Excel workbook.
• Copy/Paste the no security Targets (score 0 to 49) from Results CSV to Targets tab.
• Copy/Paste the wesk security Targets (score 51 to 89) from Results CSV to Targets tab.
• Adjust the Settings tab as you did for the Good setbaseline instructions above.
• Save the workbook.
• Send the workbook to CheckTLS and run it (//email/excelBatch).
• Use BatchEdit to change the Batch from setbaseline to [check]baseline, or
• Change the workbook to check the BaseLine (rather than "set" the BaseLine):

BatchTest-Attribute

this must be "TestType="baseline"" (not "setbaseline")

Cut cell C7 and Paste it into A7 (do not send if all Targets still match their BaseLines).

Here are the Settings from the example Excel workbook:

BatchID	3
Description	BaseLine Bad Testing
RunNow	Y
BatchTest-Attribute	TestType="baseline"
Delivery-To	you@yourdomain.com
Delivery-Format	csv
Delivery-Suppress-Attribute	Function="count" Test="le" Value="1"

• Save your changes to the workbook.
• Send the workbook to CheckTLS.

Browse to //email/excelBatch. Use the Excel File: choice to navagate to your saved Excel workbook. When you click the Update/Run button, your workbook is uploaded to our servers and run.

Again, when the Batch finishes you should get nothing. A nothing result means the Targets you listed are still not secure.

If a Target becomes secure, i.e. their security level changes, you will get this email:

"Target","BaseLineScore","CurrentScore","Match" "TLSv1.CheckTLS.com","71","94","0"

As that result says, Target "TLSv1.CheckTLS.com" use to score 71 but now only scores 94, which does not Match. That target just switched from TLS v1 to TLS v1.2.

Use the same steps to create an Untestable batch, selecting the Targets from your original test above that scored exactly 50.