Table of Content
In the article Enforced TLS Encryption for Secure Email, we described what TLS encryption is, its importance in safeguarding email messages, and how to configure Microsoft 365 Exchange Online to employ it. But how do you verify that TLS is being used and more importantly, if enforced TLS is required, how do you ensure an email server honors that. In this article, we'll go over a few ways you can verify if your emails are sent securely using free online tools or manual inspection.
Test TLS Using CheckTLS.com
A popular online tool to verify secure email is www.checktls.com. Their free service provides you with the ability to:
- test if a recipient email server support TLS and enforced TLS
- test if your email server is sending message using TLS, and if it can do so if it is enforced
Test TLS Using Microsoft 365 Exchange Online Validation Tool
If you subscribe to Microsoft 365 and you have enforced (required) TLS Exchange connectors created to your business partners and vendors, you can use the built-in validation tool to make sure it works as expected. Follow the steps below to validate an existing connector.
- Login to Microsoft 365 as an administrator.
- Click on the waffle icon on the top-left and select Admin to go to the Admin Center.
- On the left sidebar, expand Admin Centers and select Exchange to go to the Exchange Admin Center.
- Click on Mail Flow on the left sidebar, then click on the Connectors tab. This will show a list of connectors you have in your specific organization.
- Highlight the connector you want to test. The connector will need to be FROM your organization TO your third-party domain or IP.
- On the right pane, click on the Validate this connector link, as highlighted below.
- In the dialog box that appears, select (or add) an email address to the recipient's domain, then click
Validate. This step will send a test email to the recipient using the specific configuration defined in your mailflow connector. This step typically takes a minute and will display a progress indicator, as depicted below, of its progress.
For the recipient, they will receive a test email from Microsoft 365. There is not action the recipient needs to take in the validation process. This test email will look similar to the one illustrated below.
If the connection validates successfully, you will see a message similar to the one shown below with a status of "Succeeded".
Finish to close the dialog box.
What if the Validation Fails?
If your Microsoft 365 connector validation fails, there are a few things to look at to troubleshoot:
Verify your connector settings - Particularly if this is a newly created connector, you want to review the configuration settings to make sure they are defined correctly. If this is a connector that have existed for some time, then the issue may not be with your connector but with your business partner. But for good measure, you'll want to verify your configuration settings anyway.
Verify the test email is valid - Make sure the test email address you are using is still valid. Perhaps the email no longer exist. You'll want to reach out to your business partner to have them provide you with a valid working email address that you can use in the validation.
Verify partner's email server - Get in contact with your business partner to have them review their email server configuration. Perhaps their was a system upgrade or a configuration change that affected the use of TLS encryption between your two organizations.
Analyzing the Message Header
If you have an email message that you need to identify if it was sent securely, you can analyze the email message header. The message header contains a variety of information, including whether encryption was used. We have a dedicated article on how to check if your email was encrypted with TLS.