Are sporadic TLS encryption rates common for bulk email senders using opportunistic TLS?

Key findings

• ESP assertions: Some ESPs claim that sporadic TLS encryption rates are a common issue observed across all bulk senders and ESPs, even citing verification from industry groups like M3AAWG.
• Divergent experiences: Despite these claims, not all bulk senders report experiencing sporadic TLS encryption rates, with some indicating consistent encryption over extended periods.
• Opportunistic TLS: The issue specifically applies to senders using opportunistic TLS, where encryption occurs only if the receiving server supports it. Senders with mandatory TLS will consistently see 100% encryption.
• Historical context: The trend of sporadic encryption rates reportedly began around November 2018 for some senders, suggesting a potential shift in recipient server behavior or network conditions.

Key considerations

• TLS configuration: Confirming whether your email sending infrastructure is configured for opportunistic or mandatory TLS is essential for interpreting encryption rate data. For more details, see our article on what causes a drop in TLS encryption percentage.
• Data collection and analysis: Reliable data points from multiple senders are needed to accurately assess the prevalence and extent of sporadic TLS encryption rates across the industry.
• Impact on deliverability: While not directly a deliverability blocker, lower TLS encryption rates can indicate underlying network or recipient server issues that might indirectly affect inbox placement or trust. Learn more about how Google penalizes for not using email encryption.
• Underlying causes: Investigating potential root causes such as network intermediaries, server configurations, or issues with specific receiving domains is important. As Twilio notes, many providers use opportunistic TLS by default, making this a common scenario.

Key opinions

• ESP assurances: Some marketers are told by their ESPs that sporadic TLS encryption is a normal occurrence for all bulk senders.
• Lack of observed issues: Other marketers report not seeing any sporadic issues with their TLS encryption rates, even over extended periods, which contradicts the 'everyone' claim.
• Importance of TLS setting: There's a strong understanding among marketers that the TLS setting (opportunistic vs. mandatory) directly impacts observed encryption percentages.
• Platform-specific observations: Specific ESPs or platforms (e.g., Salesforce Marketing Cloud, Silverpop/WCA) are often mentioned in discussions about observed encryption rates.

Key considerations

• Verifying ESP claims: Marketers should seek independent verification or additional data points beyond what their ESP provides regarding widespread TLS issues.
• Monitoring encryption: Regularly monitoring TLS encryption rates through tools like Google Postmaster Tools can help identify unusual patterns. Understanding the ultimate guide to Google Postmaster Tools V2 can provide valuable insights.
• Communicating with ESPs: Engaging in detailed conversations with ESP support regarding specific TLS configurations and observed data can help clarify issues.
• Impact on sender reputation: While opportunistic TLS is widely accepted, consistent failure to encrypt when possible could subtly impact sender reputation or deliverability, as unencrypted emails are less secure. This could contribute to why emails go to spam.

Key opinions

• Not a universal trend: Experts generally disagree with the claim that sporadic TLS encryption rates are universally experienced by 'everyone' in bulk sending.
• Specific source identification: They believe that if a sender is experiencing sporadic rates, there's likely a specific, identifiable source or issue causing it.
• Technical investigation: Experts suggest direct communication and technical investigation (e.g., with the ESP's MTA team) to pinpoint the root cause of the problem.
• TLS negotiation complexities: The variability can stem from various factors, including network intermediaries, server load, and configuration differences between sending and receiving mail transfer agents (MTAs).

Key considerations

• Direct engagement: If facing sporadic TLS rates, engage directly with your ESP's technical team to investigate. Sometimes, specific issues like SSL/TLS key size errors can be a factor.
• Isolation of issues: It's crucial to determine if the issue is unique to your sending setup, specific recipient domains, or a broader trend impacting your ESP. This diagnostic approach is key to improving deliverability.
• Network path analysis: Consider the network path between your sending server and the recipient server. Intermediary mail gateways or firewalls might interfere with TLS negotiation. LuxSci explains how opportunistic TLS can be excellent but complicated to implement reliably.
• Proactive monitoring: Implement robust monitoring for TLS encryption rates to detect deviations promptly rather than relying solely on anecdotal evidence or general statements.

Key findings

• TLS protocol flexibility: The TLS protocol itself, as defined in RFCs like RFC 5246, is designed to be adaptable, supporting various versions and cipher suites, which can lead to negotiation failures if parameters don't align.
• Opportunistic by design: Opportunistic TLS explicitly means that an encrypted connection is attempted, but if it fails, the email is sent unencrypted. This behavior is fundamental to its operation and implies that a non-100% rate is possible and expected under certain conditions.
• Network impact: Official documentation often acknowledges that network conditions, intermediary servers, and the configuration of recipient MTAs can influence the success rate of TLS handshakes.
• Security vs. delivery: The primary goal of opportunistic TLS is to deliver the email, with encryption as a desirable enhancement. This prioritisation inherently allows for unencrypted delivery when secure transport is not feasible.

Key considerations

• Understanding TLS versions: Outdated TLS versions or cipher suites on either the sending or receiving side can lead to negotiation failures. Ensuring support for modern TLS 1.2 or 1.3 is critical.
• Server configuration: Proper server configuration, including valid certificates and correct cipher preferences, is essential for maximizing opportunistic TLS encryption rates.
• DANE/TLSA records: For enhanced security beyond opportunistic TLS, consider implementing DNS-based Authentication of Named Entities (DANE) with TLSA records to enforce mandatory TLS for specific domains, preventing downgrade attacks.
• Monitoring and logging: Comprehensive logging of SMTP transactions and TLS negotiation results is vital for diagnosing sporadic encryption issues and understanding why specific connections fall back to unencrypted transport.