Summary
Identifying email service providers that do not support TLS is increasingly challenging due to widespread adoption. While reputable ESPs generally support TLS for secure email communication, older or unmaintained servers might lack it. Methods for testing TLS support involve using command-line tools like openssl, initiating STARTTLS handshakes via telnet or custom code (e.g., Java), or utilizing online testing services like MXToolbox and Nmap. The absence of TLS poses security risks. A made-up email at tiscali.it used to bounce due to lack of TLS, but manual testing is generally required. If a STARTTLS command fails, it implies the server doesn't support TLS. Legacy on-premises systems might not support TLS, emphasizing the need for upgrades to TLS 1.2 or later. It's becoming increasingly rare to find email providers that don't support TLS.
Key findings
- Rarity of Non-TLS Support: It's increasingly rare to find email providers that don't support TLS, especially among reputable ESPs.
- Testing Methods: Various methods can test for TLS support including openssl, telnet, Nmap scripts, MXToolbox, Java code, and online SSL testing services. A failing STARTTLS command signals a lack of TLS.
- Manual Testing Necessity: Manual testing is often required due to the evolving email infrastructure and lack of comprehensive lists of non-TLS providers.
- Legacy System Vulnerability: Legacy or unmaintained systems are more likely to lack TLS support, requiring upgrades.
- Importance of TLS for Security: The lack of TLS poses security risks, exposing communications to potential eavesdropping and tampering.
Key considerations
- Prioritize TLS Support: When choosing an ESP, prioritize those that support TLS to ensure secure email communications.
- Implement Proactive Testing: Use available tools to proactively test for TLS support and identify systems lacking it.
- Plan for Legacy System Upgrades: If interacting with legacy systems, plan for upgrades to TLS 1.2 or later for enhanced security.
- Address Dynamic Landscape: Recognize that the email landscape is constantly evolving, so ongoing monitoring and testing might be required to maintain TLS support.
- Review Documentation: Review the documentation of ESPs to confirm TLS support and security measures.
What email marketers say
9 marketer opinions
Identifying email service providers that do not support TLS is increasingly challenging due to widespread adoption. While reputable ESPs generally support TLS for secure email communication, older or unmaintained servers might lack it. Common methods for testing TLS support involve using command-line tools like openssl, initiating STARTTLS handshakes via telnet or custom code (e.g., Java), or utilizing online testing services like MXToolbox. The absence of TLS poses security risks, potentially exposing email content to eavesdropping or tampering. Manual testing is often necessary due to the dynamic nature of email infrastructure.
Key opinions
- TLS Adoption: TLS adoption is widespread among reputable ESPs, making it harder to find providers without TLS support.
- Testing Methods: Various methods exist to test for TLS support, including openssl, telnet, MXToolbox, and custom code.
- Manual Testing: Identifying providers without TLS often requires manual testing due to the lack of a comprehensive list and the evolving nature of email infrastructure.
- Security Risks: Lack of TLS exposes email content to potential eavesdropping and data tampering.
Key considerations
- Security: Prioritize ESPs that support TLS to ensure secure email communication and prevent data breaches.
- Testing Tools: Utilize available tools and methods to proactively test for TLS support when evaluating or troubleshooting email service providers.
- Legacy Systems: Be aware that older or unmaintained systems may lack TLS, and plan accordingly if interacting with such systems.
- Dynamic Landscape: Recognize that the email infrastructure is dynamic, and continuous monitoring and testing may be necessary to ensure ongoing TLS support.
Marketer view
Email marketer from Stack Overflow explains that you can try to telnet to port 25 on the mail server and issue the EHLO command. If STARTTLS is not listed in the response, the server doesn't support TLS.
14 Nov 2023 - Stack Overflow
Marketer view
Email marketer from MXToolbox explains that their service allows you to enter a domain name and run tests, including SMTP tests that will reveal if the server supports STARTTLS and the TLS versions/ciphers offered.
10 Jun 2024 - MXToolbox
What the experts say
2 expert opinions
Experts from Word to the Wise indicate that finding email service providers without TLS support is becoming increasingly rare, especially since 2018. However, they suggest using OpenSSL from the command line to test for TLS support, specifically with the command `openssl s_client -starttls smtp -connect mail.example.com:25`.
Key opinions
- Rarity: Finding email providers without TLS is increasingly uncommon.
- Testing Tool: OpenSSL can be used to test for TLS support.
Key considerations
- Testing: If TLS support is crucial, it's important to actively test email servers using tools like OpenSSL.
- Date of Information: The information is dated 2018 and 2019, so the situation may have changed since then. Retesting with current information is recommended.
Expert view
Expert from Word to the Wise explains that it is increasingly rare to find email service providers that do not support TLS in 2018, however they suggest you could possibly use OpenSSL to test for TLS.
6 Jul 2024 - Word to the Wise
Expert view
Expert from Word to the Wise explains that you can test for TLS by using openssl from command line `openssl s_client -starttls smtp -connect mail.example.com:25`.
17 Apr 2023 - Word to the Wise
What the documentation says
5 technical articles
Technical documentation indicates that identifying email service providers without TLS involves testing for STARTTLS support. If a STARTTLS command fails, it implies the server doesn't support TLS. Tools like openssl, Nmap with its `smtp-starttls.nse` script, and online SSL testing services can be used to check TLS configurations by attempting a STARTTLS handshake and analyzing the results. While services like Exchange Online require TLS, legacy on-premises systems might not, emphasizing the need for upgrades to TLS 1.2 or later.
Key findings
- STARTTLS Failure: A failed STARTTLS command indicates a lack of TLS support.
- Testing Tools: Tools like openssl, Nmap (with `smtp-starttls.nse`), and online SSL testing services can be used to check TLS configurations.
- Legacy Systems: While modern services require TLS, older systems might not support it.
Key considerations
- Proactive Testing: Implement proactive testing using available tools to identify systems lacking TLS support.
- Upgrade Legacy Systems: Prioritize upgrading legacy systems to support TLS 1.2 or later for enhanced security.
- Analyze Handshake Results: Carefully analyze the results of STARTTLS handshakes to determine supported protocols and ciphers.
Technical article
Documentation from Qualys SSL Labs explains that you can use tools like openssl or specialized online services to check the TLS configuration of an email server by connecting and attempting a STARTTLS handshake. The output reveals supported protocols and ciphers.
8 Jan 2025 - Qualys SSL Labs
Technical article
Documentation from Nmap describes using the `smtp-starttls.nse` script to detect if an SMTP server supports STARTTLS. It attempts to negotiate TLS and reports the results.
23 Mar 2024 - Nmap
Are there any ISPs or email clients that only accept text emails and reject HTML emails?
Does using TLS matter for email deliverability or inbox placement?
Does website SSL/TLS affect email deliverability?
How can I test inbound starttls with a given external IP address?
How does TLS inbound affect email deliverability and sender confidence?
What are the updated Google bulk sender guidelines and TLS requirements for email senders?
