While it’s still the global standard for electronic messaging, a lot of people have misconceptions about email. Some say that it’s inherently insecure, but in reality, there’s nothing inherent about email at all. It’s a completely open standard that is continuously evolving and growing, just like the world wide web, roads, human language, and all life on Earth. When it comes to the World Wide Web, usually the web browsers push the standards forward. Most web browsers will practically block websites that don’t implement transport layer security these days. Email providers generally aren’t as well organized when it comes to keeping up to date on the latest standards and security capabilities. So, we the people, may have to remind them sometimes by complaining to tech support or switching to better services.
It’s pretty easy to check up on your email service and see if they’re doing their job of keeping up to date or if their IT team really hasn’t done anything in 15 years and is just comfortably collecting your subscription fees. Here are a few tips to see if your email service or your self-made email server are doing things right.
It’s great that we CAN audit email servers
First of all, I’d like to point out that even though some email servers out there are really poorly configured and outdated, the fact that we are actually capable of calling them out is a huge advantage. If everyone were using centralized messaging services like Whatsapp, iMessage, Google RCS, Telegram, Signal, etc. we would have no way of verifying that those systems are doing what they’re supposed to be doing. The fact that we can see how email works is a huge win for democratic, private, and secure communications. See: How to tell if it’s trustworthy.
Internet.nl Test
If you put your email account’s domain name into the Internet.nl test, it will test several protocols and connection systems to see how your server responds and which aspects it supports. This test gets updated periodically as well as new “best practices”, protocols, security mitigations, and encryption ciphers become available.
For example, I was able to get some of my servers to a 100% score on the test a few months ago, but then new encryption ciphers became available, the test was updated, and my score dropped to 97%. That means I have more work to do now.
Besides giving you a score, that test also outlines every little thing that it tests and provides some description about why it might be bad if your server doesn’t support certain things. For example, if your server still uses very old versions of the transport layer security (TLS) standard, it is probably vulnerable to attacks. The test also looks at other attack mitigation protocols like DANE which can prevent certain “man in the middle” attacks.
If you’re using Gmail and think that it’s a great email service, you may be surprised to see its test results are actually kind of low on here with some pretty major security vulnerabilities in their old TLS 1.0 implementations, old encryption ciphers, and lack of DANE support.
If you’re using Microsoft 365, not all of the modern security features are enabled by default, but there are PowerShell commands that you can use to switch your tenant to a more modern Exchange server that does have support for things like DNSSEC and DANE.
This page lists the hosting providers that do give you a 100% score.
- One of the most modern email service providers is Soverin now at 100%.
- Providers like ProtonMail and Tuta, that are always bragging about security and privacy, are only around 80% (though still much better than Gmail).
- Apple likes to brag about being awesome at security too, but their iCloud.com email service has a pitiful 47% score while their corporate email on Apple.com is even worse with a 34% score!
- If you want to see some really really bad email server test results, check out Yahoo.com and AOL.com with their scores in the 30s.
- The old Hotmail.com is actually not terrible with a 66% score.
About My Email Test
This test involves sending an email to a specific address. Once the message is received, the web page test results will appear and show you all sorts of information. This test will show a lot of things that the internet.nl test already covers but also includes more about whether your actual emails are complying with marketing email standards like a one-click unsubscribe function and HTML accessibility best practices.
This test will also reveal hostname mismatch mistakes in case you didn’t set the hostname on the server to be the same as the hostname specified in DNS and the hostname specified in the PTR record.
Bund Email Checker
This one isn’t really a scanner as you can’t put your own domain in and check it, but they have a list of email providers that they’ve tested and published results for. As you can see, Gmail doesn’t pass this one either and neither does Apple.
Hardening Checkers
- //email/testTo: (checktls.com)
- Mailhardener email tools
- Hardenize: Comprehensive web site configuration test
- CryptCheck
- DNSSEC Debugger
- Microsoft Remote Connectivity Analyzer
Above are several more online tests that you can run on your email server to see if it correctly supports all of the latest security protocols. They overlap a lot with the internet.nl test and don’t always have great explanations as to which things are good to have and why, but if you want to get more technical, they’re good to take a look at.
Blocklist Checkers
- Email Blacklist Check – IP Blacklist Check – See if your server is blacklisted (mxtoolbox.com)
- MultiRBL lookup
- Proofpoint Dynamic Reputation – IP Lookup (Proprietary block list that some businesses use.)
Is your server on a “Realtime Blocklist” (RBL) and getting blocked by certain other servers? If yes, that might mean that your service/server is really badly behaved. It could be sending tons of spam and/or has very outdated configurations that make it susceptible to becoming a bad actor. Or it might mean that your IP address is within a range that contains other badly behaved mail servers. If your server has some configuration problems, usually you can fix those errors and then request to be removed from the blocklists and all will be ok. Some blocklists are a little scammy though and want you to pay money to be removed from the blocklist, but not many services use those, so it might not be worth worrying about.
Spamyness checkers
These aren’t really as much about the quality of your email service as they are about if the emails you’re sending look like they’re spam. If you’re using your email for interpersonal communications instead of marketing materials then this isn’t much of a concern to you, but a lot of businesses do both, so before sending a newsletter to your clients or friends, you might want to make sure it passes these tests.
Following standards is good for everyone
While the World Wide Web has pretty nicely kept up to date with the latest security standards, electronic messaging communications still has some work to do. Email is the messaging system used by the entire population of the internet (which is about half of the entire human population of planet Earth), and keeping things secure and private should be a priority for us especially with so many other centralized proprietary messaging platforms trying to take away your freedom and monetize/control your private communications (See: Stop being naive when it comes to things like WhatsApp, Telegram, Signal, etc.).
