Check for TLS Email Encryption

By on Feb 7, 2013

Protecting private client information should be a top priority for any insurance organization. The consequences of a data breach can be significant. Using unencrypted email to send private client information to insurance company underwriters continues to be a vulnerability.

An easy first step to plug this vulnerability is to implement TLS (Transport Layer Security) wherever it is available.

TLS creates an encryption tunnel between two email servers that both have TLS active. When TLS is in place, users from both parties can send email to each other without doing anything extra to encrypt the email or its attachments.

Passwords are not required to open a given email message or attachments. This greatly simplifies the process for protecting confidential information, because no extra steps are required by the sender or receiver.

But, how do you determine which organizations have TLS enabled on their email servers? Fortunately, there are a couple of options available.

The first option is to look on the ACT (Agents Council for Technology) website where they have listed insurance companies that have enabled TLS encryption on their email servers.

But, this site only lists carriers that have provided this information to ACT.

The second option is to use a TLS testing service like CheckTLS.com. This site has several different tests you can use to determine which people you sent emails to have TLS implemented on their email servers.

The Basic Receiver Test allows you to test an individual email address and a report about the TLS encryption available for that email address.

TLS Test Results Screen

As you can see the summary information is very nice. My certificate could not be verified because my Outlook Exchange server is hosted. However, this report does confirm that emails sent to me will go by TLS protocols as long as the sending email server is also TLS-enabled.

If you are interested, there is a fair amount of technical information following the summary.

The Basic Sender Test allows you to check your own email server to determine if you can send secured email. You simply send an email to CheckTLS with a passcode and they will send a return email with the TLS information.

TLS test sender email

CheckTLS TestSender test results

The above services are free. There are additional paid subscription levels:

  • Individual: Free
  • Professional: $10 per month or $100 per year
  • Corporate: $25 per month or $250 per year

An agency told me they signed up for the corporate version so they can set up recurring batch testing of email addresses to determine which are secure and which are not. They also will include documentation in their Information Security Plan on how to use this website to determine if an employee can send secured information by email.

This same agency also exported a list of insurance and brokerage email addresses from their agency management system database and did a batch test of 1,660 email addresses to determine how many were hosted on TLS-enabled email servers. After culling out the bad email addresses, only 70 of those email addresses were on email servers that did NOT have TLS enabled.

So, almost 96% of their insurance company/brokerage partner relationships use email servers that have TLS enabled on them.

TLS is a simple and easy way for any insurance organization to properly secure the information that flows between them and their insurance company partners.

Is your mail server TLS-enabled? Are you using a service like CheckTLS? Let me know.

3 Comments

  1. Steve:

    As you know, we have been using TLS for a few years.

    Since our email server is in house, we can view our server logs to see who is using TLS but thanks for the websites, appreciate it.

    Leslie Simmons

    • Leslie, that’s a great reminder. It might be a good idea to make a list of the organizations that do utilize TLS to make sure those emails are sent securely.

  2. TLS will not work with Self-Signed certificates. E-Mail servers on the Internet will not accept TLS connections unless the certificate can be fully verified. Otherwise, anyone could simply spoof your domain with a self-signed certificate.

Leave a Reply to Leslie Simmons Cancel reply

Your email address will not be published. Required fields are marked *