Responsible Party

How Is It My Fault When Their Stuff Breaks?

When you think about keeping the emails that you send safe, you probably think about how to make your end as secure as is reasonably possible. Enabling TLS, making sure your DNS entries are correct and safe, maybe considering SPF, DKIM, and DMARC so the Internet knows your email is real.

You likely don't think about how secure the other end is. The end that receives your email. You setup all the security on your end correctly. Maybe you even use CheckTLS to verify that everything is good.

If you don't think about the other end, you are at risk. But how can that be?

The Receiver Doesn't Know

Think about it for a moment. From the receiver's vantage, they have no idea when someone might send them email, where it might be coming from, and what it may contain. It could be an innocent note from your manager's wife reminding them to pick up milk on the way home. Or it could be the latest financials from your CFO that will rock the stock price when released in two weeks.

If someone reads the first one, they know that your manager's wife drinks milk.

If someone reads the second one, your CFO is going to jail for leaking insider trading information.

There are two important parts to this:

• the receiver doesn't know until after they receive the email if it should have been protected
• the receiver doesn't even know anything about the connection itself, through the Internet, until after it's established

The Sender Does Know

The sender, on the other hand, knows exactly what is in the email. And they know exactly how the email is going to get to the sender.

Consider this scenario: Your rich uncle has a gold bar they want to send to you. He knows that he has to make sure the package is safe from when he hands it to the shipper all the way until it gets into your hands. You, on the other hand, have no thoughts about the gold until you open the package.

Follow that a little farther: You have a note on your apartment door that tells anyone with a delivery to just leave it on the doorstep. Works great for your weekly doordash burger.

Your uncle, on the other hand, will have shipped the package with "signature required" and maybe even "check id". He knows that this package needs special handling.

Email Senders Must Check The Receiver's Security

When sending any information that requires protection, especially information with legal protections like HIPAA, GDPR, CCPA, PCI, etc., you, as the sender, are responsible for it all the way until the receiver has it in their email system.

In practice this means, at a minimum, you must verify that the receiver uses TLS.

And as email security continues to evolve, depending on your size and security requirements, this may also mean that you should be checking if your client's email systems are using other email privacy technologies like DANE and MTA-STS.

CheckTLS can do all the testing and verification that senders (and receivers) should be doing. Our site works hard to make this testing as powerful yet easy to use as possible. As always, we welcome any feedback on our testing and our documentation!