CheckTLS

The Email Encryption Testing Authority

People take email for granted. It is such a simple thing: a "Sender" writes a message and a "Receiver" reads the message. So simple, but so powerful. Email is indispensable in our modern world: almost everyone uses it almost every day.

Every time someone sends an email, they assume several things about what they write: that it will get there, that it won't be changed, and that no one else will read it.

Every time someone receives an email, they assume several things about what they read: that it was sent by who signed it, that it wasn't changed, and that no one else read it.

In everyday use, neither Sender nor Receiver cares about how all this happens. Until something bad happens.

That is what this website is about: letting you inspect how all this happens. Use this site after something bad happens to see what happened and how to prevent it. Use this site before something bad happens to see how safe you are.

Under the covers, modern email systems have lots of moving parts that work together to protect messages: to make sure messages get from Sender to Receiver unchanged and unread by anyone but the Receiver. This website is a box of tools that lets you look at all the moving parts of standard Internet email, and at all the newer technologies including SPF, DKIM, MTA-STS, DMARC, DNSSEC, DANE, TLS-RPT, and BIMI that make Internet email safer and more secure.

Non-technical users can use CheckTLS to take a quick peek under the hood of their email system (See Receiver Test and Sender Test in the Quick Tests section below) to see how secure it really is.

Technical users can use CheckTLS wide range of tools to look in-depth at every detail of every moving part in an email's journey from Sender to Receiver.

CheckTLS has been testing email for 14 years. We have tested over 200 million addresses in that time. We are part of the security policies and operations of some very large and prestigious financial institutions, health care systems, insurance companies, and law firms. Why? Because we reduce risk with tests that produce correct answers and that document the steps leading to each answer, giving these companies archive-able documentation of their security policies.

EmailSentry™

EmailSentry puts our tests inside Outlook. Every one of your users becomes a part of your email security team, with their desktop Outlook checking the safety of every message they send in real time. EmailSentry is transparent, hidden inside Outlook unless something bad is about to happen, and only then does it stop the email and ask the user what to do about the problem.

It is an inexpensive, easy, and approved answer to HIPAA, GDPR, CCPA, PCI, and other email security compliance requirements.

EmailSentry is a commercial product licensed to companies for their employee use. Send this brochure to your boss, or Sign up for a free trial.

Quick Tests

In almost every case, we do not ask for, we do not need, and we do not want, complete email addresses. We usually only need just the domain (the part after the @ sign, i.e. the checktls.com part of sales@checktls.com). That's because bill@someplace always has the same security as joe@someplace, so we only need the "someplace".

Check How You Get Email (Receiver Test)

we do not keep or use your address, see our privacy policy

If the button does not work for you, or for more information about this test, use the menu choice //email/testTo: or see the documentation at TestReceiver.

Check How You Send Email (Sender Test)

If the button does not work for you, or for more information about this test, use the menu choice //email/testFrom: or see the documentation at TestSender.

No other site on the Internet will test an actual sent email.

You Must Also Check How THEY Receive Email

If you email anything that should be protected, especially if you are subject to HIPAA, GDPR, PCI, or many others, you are responsible for securing that email until it gets delivered to the other side. So not only do you have to secure how you send and receive email, you have to check how the people you send to secure their email! That could be a lot of testing, but CheckTLS makes it easy with Batch Tests and EmailSentry.

Take Gmail For Example

Major email providers work hard to prevent spam, phishing, and other bad email. Google, for example, in a widely reported change that is not that important to most people, added new requirements for who can send to gmail users (You Have 5 Days To Comply, Google Says). CheckTLS can help you test if you meet the requirements for Sending to Gmail.

How To Use This Site

The US government (NIST) released Special Publication 800-177 (Revision 1) entitled Trustworthy Email (Nextgov has an easier to read overview here) that prioritizes what sites should work on to secure their email. You can use CheckTLS as you follow those recommendations, or just browse below for some ways to explore our site and learn what CheckTLS can do.

The main features of CheckTLS are Sender and Receiver tests (how you send and receive email), Batch tests (testing lots of client emails at once), Monitoring (constantly watching over your email), modern Security/Authentication/Privacy technologies (SPF, DMARC, MTA-STS, etc.), Regulatory Compliance (HIPAA, GDPR), and API/WebServices (our tests on your computers).

Email security testing with CheckTLS

CheckTLS offers tools that are powerful and thorough for testing email security, privacy, encryption. See How to Use CheckTLS for an overview of these tools in order from simple to complex. It is a good starting point for new users of CheckTLS or for non-technical people interested in email security.

And it is a good place to come back to as you become more familiar with email security and CheckTLS.

It is also a good starting point for technical people to quickly find the tools they need to dig deeper into email security.

Understanding Email Security (Privacy and Authentication)

Email security comes down to two things: You want to know that an email went to and came from the right person, and you want to know that no one else saw it or changed it. Email Authentication is what assures that emails go to and come from the right person. Email Privacy is what assures that no one else saw or changed an email. Those two pages are simply written explanations of both concepts, and they are very popular and frequently referenced.

See Internet Email Security Made Simple for a quick overview of some Email Security concepts.

Understand and test Email Authentication Technologies (TLS, SPF, DKIM, MTA-STS, DMARC, DNSSEC, DANE, TLS-RPT, BIMI)

A good introduction to these technologies is in our Email Authentication document.

Many websites explain the Sender Authentication technologies SPF, DKIM, and DMARC and tell you how to set them up and check your settings. Only CheckTLS allows you to actually test them in action.

You can see how to use CheckTLS to test the Receiver Authentication technologies (MTA-STS, DANE) in the MTA-STS section of our How To Use CheckTLS page.

We outline each of these authentication technologies and how to use CheckTLS to test them on our comprehensive On-line Real Time Email Authentication Testing and Verification Using CheckTLS webpage.

Monitor your email security, or monitor security changes for 1 to 100,000 client emails

There are only three things that are certain in life: death, taxes, and email systems breaking. And it only takes one bad break to put your company on the front page in a very bad way.

You can reduce the risk of broken email security by using CheckTLS to keep watch over your and your clients' email. The more secure you make your email (those Authentication Technologies mentioned above), the more parts there are to break. You can use CheckTLS to watch over your email and to watch over other's email.

Test and/or monitor your email "end-to-end" (Send and Receive) all at once

You can string together several CheckTLS tools to do a complete end-to-end test of your own email system. Your system sends us an email, we look it over for any problems on your sending end, then we send a result back, looking for any problems on your receiving end. The End To End section on our How To Use CheckTLS page describes the process.

If you then instruct your email system to periodically do this end-to-end test, and you use CheckTLS Monitoring to keep watch, you will have an automatic send/receive email alerting system.

Compliance with US NIST, HIPAA, HITECH, GDPR, CCPA, PCI DSS, SOX, GLBA, SM1386, SEC 17a-4, NASD3010, FRCP, FINRA, and more

Compliance is defined as "the state of being in accordance with established guidelines or specifications" — which really just means following the rules. Regulatory Compliance means following the rules given to you by laws (e.g. HIPAA, GDPR), by trade agencies (i.e. AICPA), by Corporate Legal Departments, and more. Email Regulatory Compliance means following all the rules, from all entities with some control over your organization, for keeping email secure (see Email Authentication and Email Privacy). Depending on how many "rules" end up applying to your email, fully meeting your Email Regulatory Compliance can be a huge undertaking.

See our Compliance page for an example, using HIPAA, for how you can use CheckTLS to satisfy your compliance requirements.

Test hundreds or thousands of your client's emails at a time, once or repeatedly

When you send an email, you are responsible for making sure it is secure all the way until it is in the receiver's hands. At first this sounds unreasonable: that it is your problem if the other guy's email doesn't work right. See our Responsible Party document for why this is so.

CheckTLS can help. You can save lists of email addresses on CheckTLS and test them every now and then or set up a schedule to test them regularly. This is how most of our large clients use CheckTLS.

We call a list of email addresses tested at once a "Batch". Batches are stored in XML and the results are usually returned as XML, but an easy way to start testing lists (Batches) is with our Batch Excel feature. Our Step By Step TLS Version instructions walk you through creating a Batch that displays the TLS version used by each of your client email addresses. Links in those document and in the Batch Excel test itself have complete information about the XML interfaces to CheckTLS.

Instead of showing you how secure each of your client's email addresses is, with a little more work you can have CheckTLS only report changes. Rather than manually reviewing the security of thousands of client email addresses every week, you only have to review ones that changed since last time. See our Step By Step Change Notice instructions for how to extend Batch Excel to only look for changes. And see BaseLine Batch for complete information about storing BaseLine results and reporting changes against them.

Run our tests inside your own servers or personal computers

Many of our tests are available as webservices, meaning you can use an API to run them. Our API can be used two ways: to put our tests on your website or to use our tests inside your own data processing.

You can make it look like our tests are a part of your own website with our Embed feature. For example, you can put the the two forms in the Quick Tests section above on your website, formatted to match your website style, colors, logos, etc. Step-by-step instructions for putting one of our tests on your website are at How to Embed.

Or you can use our tests as part of your data processing programs with our API. For example your patient results portal could verify that the email address a patient entered is secure enough for you to allow HIPAA protected information to be sent to them.

What is Mandatory TLS, doesn't it fix everything, and can CheckTLS test it?

Many email systems can be told to only send or receive email if TLS, that is "good encryption", is used. Mandating TLS removes any possibility of an email being sent in plain text over the Internet. Recall that plain text email over the Internet is likely illegal and certainly always ill-advised.

But MandatoryTLS is almost never used because of its downside: missed emails. While TLS is widely used with over 90% of Internet email today using it, organizations are loathe to lose that last 10% or so.

When MandatoryTLS is used, it is limited to specific domains; meaning company A will mandate TLS when emailing with company B, but not with anyone else. CheckTLS is the only site we know of that can test MandatoryTLS.

IPv6 security

CheckTLS is fully IPv6 compatible. All our tests can be used with IPv6 addresses and connections.

Specialty Cases

CheckTLS offers a comprehensive set of test options. Sites that need or use specific TLS versions, ciphers, DNS names, non-standard ports, private servers, and other specialty options, will find that our tests have options and settings to work with these specialty cases. See the extra options under the More Options section (6 lines down from the top) in our Receiver Test to see how to test many specialty cases.

Lower Your Support Costs

We have clients that "pass the buck" to CheckTLS when dealing with their customer's email security issues. Rather than use their own helpdesk resources to work with a customer that does not meet the client's email security requirements, our clients direct the customer to CheckTLS.

For example, several large law firms require a new client to "score 90 or above on the CheckTLS Receiver Test at https://www.checktls.com/TestReceiver" in order to onboard. The test shows all the information a client needs to diagnose and fix their email.

Tools and tips we learned along the way

Smaller shops trying to use or fix TLS can find it hard to understand the whole SSL Certificate thing. See SSL Certificates Made Simple for help.

Look for more tips here in the future.

Welcome

If you use CheckTLS at all you should WhiteList our servers so our results can reach you.

CheckTLS is not free. If you test one thing one time for your company, you don't have to pay us -- just keep us in mind. But our logs show that one thing turns into two things turns into ten things. And we see and encourage you to come back and check those things again. And again. And again.
Then CheckTLS.com provides real value and we think a $25 subscription is reasonable.

While a subscription is more cost effective, we do offer a One Time List Test where we will test a list of addresses for you.

In using our site we ask that you abide by our Acceptable Use Policy.

CheckTLS has a strict Privacy Policy. We will never sell any information you provide to us, nor will we use it for any purpose other than why you gave us the information in the first place.

• email
  • testTo:
  • testFrom:
  • testMandatory To:
  • testMandatory From:
  • edit saved tests
  • excel saved tests
  • upload saved test
  • edit baselines
  • monitor
  • solve email problems
  • email compliance
• cloud
  • embed
  • decode ssl cert
  • make your own ssl cert
  • decode CSR
  • show our CA list
  • show our Ciphers list
• help
  • contact us
  • about us
  • terms of use
  • privacy policy
  • Mandatory TLS
  • saving tests
  • baselining
  • monitoring
  • API
  • Embed
  • site map
  • HIPAA/GDPR how-to
• subscription
  • login
  • about
  • signup
  • get Quote
  • one year
• faq