Why is SMTP Strict Transport Security not enough?


Thought Leadership

Why is SMTP Strict Transport Security not enough?

Dave Robertson

In the first post in our SMTP Strict Transport Security (STS) standard series, we reviewed the history of TLS, the need to improve its security and how the new, proposed STS standard addresses some of the faults of TLS. But does STS protect every email and every email user?

At the time an employee sends an email, there will be no way to know if all of the recipients can be reached via a secure TLS connection. For most organizations, just reporting that TLS was not available or bouncing the email will not be acceptable. Organizations need to exchange email; otherwise communication and workflow are completely disrupted.

STS also does not address when multiple domains are included in the same email exchange or when the user replies (or replies-all) to the email.

Zix is focused on making email encryption easier for users and, as part of that, supports the responsible use of TLS by enabling customers to define its use in policies and confirm behavior and results by way of reporting. We give customers the ability to define when the use of TLS is appropriate based on the content of the email and the domains being sent to. Customers can also define the level of authentication and encryption required for TLS connections by domain. Customers can create policies for mandatory TLS or can try TLS and fall back to another secure delivery method if TLS is not available. Through our reporting, customers can easily track whether an email was encrypted using our own transparent gateway-to-gateway encryption, or encrypted TLS or delivered securely through our branded, secure portals.

Zix is supportive of STS as this standard addresses two conspicuous weaknesses of the existing STARTTLS standard; those being:

  1. Man-in-the-middle attacks that result in unencrypted communication, and

  2. Lack of verification of the identity of the receiving domain.

As a result, this standard will allow more email to be encrypted as it moves across the Internet. These improvements will be seen most prominently at the individual email recipient level.

Business email customers will also benefit from increased ability to send encrypted emails transparently when this standard is combined with alternative email encryption options, delivery controls and policy management capabilities that Zix Email Encryption provides. For example:

  • Assurance that all emails are always encrypted and delivered with the best method of delivery

  • Protection of the reply paths

  • Enhanced reporting

  • Ability to deliver securely when TLS services are unavailable

  • Ability to set policy for TLS by domains

  • Ability to set delivery method based on email content

  • Ability to securely deliver to TLS and non-TLS domains in the same email

We are excited to see this standard move forward, the improved security it will provide and the added value it will create for Zix customers.

We plan to provide support for the standard as the draft is finalized and keep you up to date on how and when the final standard will impact you, your organization and your recipients.

In the meantime, if you'd like to learn more about our superior TLS support, review our dedicated TLS datasheet. Have more questions? Simply email us at info@zixcorp.com.