What is opportunistic TLS?

Opportunistic TLS is a mechanism where a sending mail server attempts to establish a TLS-encrypted connection with the receiving server. If successful, the email is sent securely. If the TLS handshake fails or the receiving server doesn't support TLS, the email is still sent, but in plain text. This ensures delivery even if encryption isn't possible, but at the cost of privacy.

Does TLS encryption prevent all email security threats?

While TLS encrypts email during transit between mail servers, it doesn't protect the email once it's stored on a server or if it's accessed via an insecure client. It also doesn't prevent phishing or spoofing attacks directly. For comprehensive security, TLS should be combined with email authentication protocols like SPF, DKIM, and DMARC, and potentially end-to-end encryption for the message content itself.

How does TLS affect email deliverability?

TLS doesn't directly determine whether an email lands in the inbox or spam. However, a consistently low TLS encryption rate can indirectly affect your sender reputation. Many ISPs prioritize secure communication. If your domain frequently sends unencrypted mail, it might be viewed as less trustworthy, potentially leading to increased scrutiny and higher spam filtering rates. A high TLS rate indicates a commitment to security, which contributes positively to your overall sender reputation.

Can I enforce TLS for all my outbound emails?

You can configure your mail server or ESP to enforce TLS for all outbound emails, meaning mail will only be sent if a TLS-encrypted connection can be established. If TLS fails, the email will not be delivered. This provides maximum security but carries the risk of non-delivery for recipients whose servers don't support TLS or encounter handshake issues. Most senders use opportunistic TLS to prioritize deliverability, while still aiming for high encryption rates.

What is the latest TLS version for email?

The latest widely adopted version of TLS is TLS 1.3, which offers improved security and performance over its predecessors. While TLS 1.2 is still a current standard and widely supported, organizations are encouraged to upgrade to TLS 1.3 where possible to benefit from its enhanced cryptographic features and reduced latency.

What is TLS encrypted email traffic and what causes a drop in its percentage? - Technical - Email deliverability - Knowledge base

Email is a cornerstone of modern communication, from personal messages to critical business transactions. Given the sensitive nature of much of this correspondence, ensuring its privacy and integrity during transit is paramount. This is where Transport Layer Security (TLS) comes into play for email.

TLS encrypts email traffic as it moves between mail servers (Mail Transfer Agents or MTAs), effectively creating a secure, private tunnel for your messages. Without it, emails are like postcards, readable by anyone who might intercept them along the route. With TLS, the content is scrambled, making it unreadable to snoopers and significantly reducing the risk of eavesdropping and tampering.

Most email providers and senders aim for a very high percentage of TLS encrypted traffic, often 98% or higher, reflecting a commitment to security. However, it's not uncommon for businesses to observe sudden, significant drops in this percentage. Understanding what constitutes TLS encrypted email and the factors that can cause such a drop is crucial for maintaining both security and email deliverability.

What is TLS in email?

TLS, or Transport Layer Security, is the successor to SSL (Secure Sockets Layer) and is the standard cryptographic protocol for establishing encrypted links between a web server and a client (like your browser or an email server). For email, TLS encryption occurs at the transport layer, specifically between the sending MTA and the receiving MTA or MX server. This means that as your email leaves your mail server and travels across the internet to the recipient's mail server, it's protected from interception.

The vast majority of email communication today uses what is known as opportunistic TLS. This means that when a sending server attempts to deliver an email, it first tries to establish a TLS-encrypted connection with the receiving server. If the receiving server supports TLS, the connection is encrypted, and the email is sent securely. If the receiving server does not support TLS, or if there's a problem establishing the encrypted connection, the email will typically still be sent, but in plain text (unencrypted). You can learn more about this in our article about sporadic TLS encryption rates.

It's important to distinguish this from end-to-end encryption, which encrypts the content of the email so that only the intended recipient can read it, even when stored on mail servers. TLS, on the other hand, secures the communication channel, ensuring that the email is private while it's in transit between servers. You can find more technical specifications on the use of TLS for email submission and access in RFC 8314 from the IETF.

Understanding TLS reporting

When you look at your TLS encryption percentages, for example, in Google Postmaster Tools, you're typically seeing statistics related to the transport-level encryption between MTAs. These tools provide two key metrics:

TLS Inbound: This shows the percentage of incoming mail that was received over a TLS-encrypted connection to your domain.
TLS Outbound: This indicates the percentage of outgoing mail sent from your domain that was accepted over a TLS-encrypted connection by the receiving servers. This metric is what most senders focus on when troubleshooting drops.

A drop in these percentages means a higher volume of your emails are being sent or received without encryption, exposing them to potential interception.

Why your TLS percentage might drop

Observing a significant drop in your TLS encryption percentage can be alarming, especially if it's a sudden and drastic fall from a high baseline (e.g., from 98-100% down to 40%). Several factors can contribute to this issue, primarily revolving around misconfigurations or compatibility problems between mail servers.

One of the most common culprits is a problem with the sending Mail Transfer Agent (MTA) or the Email Service Provider's (ESP) servers. This could involve misconfigured settings that prevent the MTA from properly initiating a TLS handshake, or issues with the SSL/TLS certificates themselves. An expired, invalid, or improperly installed certificate on your sending server can cause receiving servers to refuse the TLS connection, forcing a fallback to an unencrypted transfer.

Another significant factor is the deprecation of older TLS versions. As security standards evolve, older versions like TLS 1.0 and 1.1 are being phased out due to known vulnerabilities. If your MTA or ESP is still relying on these deprecated versions, and the recipient mail servers have updated to only support TLS 1.2 or 1.3, then encrypted connections will fail, leading to unencrypted delivery. We have a detailed guide on the implications of disabling older TLS versions.

Less common, but still possible, are issues with the recipient's mail servers or network routing. If a particular receiving domain's mail server is experiencing its own TLS configuration problems or if there are intermittent network issues preventing the TLS handshake from completing, your emails to that specific domain (or set of domains) might fall back to unencrypted transmission. This can appear as a broad drop if a large portion of your mail is sent to affected recipients, or if there's a problem with an intermediate network segment.

Typical problems

MTA misconfiguration: Sending server settings that prevent TLS from initiating or completing properly.
Certificate issues: Expired, invalid, or mismatched SSL/TLS certificates on the sending MTA.
Outdated TLS versions: Reliance on TLS 1.0 or 1.1 when recipient servers require newer versions.
Recipient server problems: Receiving domains with TLS configuration errors or temporary outages.

Initial steps

Contact your ESP: The first step should always be to reach out to your Email Service Provider. They manage your sending infrastructure and can check for faults or recent changes on their end.
Check Google Postmaster Tools: If the drop is specific to Gmail recipients, this tool offers insights into your TLS outbound percentage.
Review recent changes: Consider any recent changes to your sending infrastructure, DNS records, or ESP settings that might coincide with the drop.

Diagnosing and resolving TLS issues

When you notice a drop in TLS encryption, immediate action is necessary to identify and rectify the issue. For outbound email, a primary diagnostic tool is Google Postmaster Tools. If you're seeing TLS errors when sending to Gmail, this dashboard can provide specific data on the percentage of your mail that was sent to Gmail over a TLS connection versus unencrypted.

Beyond Postmaster Tools, you should consult your sending logs for specific error messages related to TLS handshake failures. These logs, usually accessible through your ESP or mail server administrator, will indicate why a TLS connection failed (e.g., certificate validation errors, unsupported cipher suites, or protocol version mismatches). For instance, a common log entry might resemble this:

Example TLS connection errortext

hostname.com:25: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Collaboration with your ESP is often necessary, especially for managed sending platforms. They have the tools and expertise to examine server configurations, update TLS libraries, and resolve any certificate-related issues. Remember that while TLS ensures secure transport, it's distinct from authentication protocols like DMARC. Even if your TLS percentage drops, your DMARC, SPF, and DKIM records will still function, but the security of the communication path is compromised.

TLS version	Status	Considerations for email
TLS 1.0/1.1	Deprecated/Discouraged	Many major providers no longer support these, leading to unencrypted fallback.
TLS 1.2	Current Standard	Widely supported and considered secure for most email traffic.
TLS 1.3	Latest Standard	Offers enhanced security and performance. Increasingly adopted by major email providers.

The broader impact of low TLS encryption

While email will often still deliver even if the TLS handshake fails, a significant and sustained drop in your TLS encryption percentage carries serious implications beyond just privacy. It can impact your email deliverability and overall sender reputation.

First and foremost, sending unencrypted emails exposes sensitive data to potential interception by malicious actors. Without TLS, anyone with access to an intermediate network point can sniff the packets and read the entire content of your emails. This poses a significant privacy risk and can lead to data breaches, especially for businesses handling confidential information.

Although TLS isn't a direct factor in inbox placement in the same way DMARC, SPF, and DKIM are, a persistently low TLS rate can indirectly affect your sender reputation. ISPs and email providers increasingly prioritize security. A sending domain that consistently fails to encrypt its traffic might be viewed as less trustworthy, potentially leading to increased scrutiny, higher spam filtering, or even placement on a mail server blocklist (or blacklist). While not always a direct cause for listing, it contributes to a negative perception of your sending practices.

Risks of unencrypted email traffic

Data exposure: Sensitive information can be read by anyone monitoring the network path.
Compliance issues: Failure to encrypt can violate data privacy regulations like GDPR or HIPAA.
Reputation damage: ISPs may flag your domain as less secure, impacting deliverability and potentially leading to blacklist inclusion.

Views from the trenches

Best practices

Always use the latest supported TLS versions (TLS 1.2 or 1.3) on your mail servers.

Regularly monitor your TLS encryption rates, especially through recipient-specific dashboards like Google Postmaster Tools.

Ensure your SSL/TLS certificates for your sending domains are valid and correctly installed.

Common pitfalls

Ignoring warnings about deprecated TLS versions leading to unexpected drops.

Not having a clear escalation path with your ESP for urgent deliverability issues, including TLS problems.

Assuming email is inherently secure without verifying transport encryption percentages.

Expert tips

Implement TLS-RPT (TLS Reporting) to receive reports on TLS connection failures directly, allowing for quicker troubleshooting.

Consider dedicated IP addresses for high-volume sending to better control and monitor your sending reputation and TLS performance.

Perform regular email deliverability tests using an email testing tool to catch TLS issues proactively.

Marketer view

Marketer from Email Geeks says that TLS is a method of encryption used while data is in transit, and it should be handled by an Email Service Provider's (ESP) MTAs. A drop in this metric could indicate an error on the ESP's end.

February 1, 2019 - Email Geeks

Marketer view

Marketer from Email Geeks says that TLS encrypts the communication between the sending MTA and the receiving MX server, making it very difficult for anyone to intercept and read the email content.

February 1, 2019 - Email Geeks

Maintaining high TLS rates

Maintaining a high TLS encryption rate for your email traffic is a non-negotiable aspect of modern email security and deliverability. It safeguards your communications from eavesdropping and helps uphold your sender reputation with major email providers. Proactive monitoring and swift action are essential to prevent and resolve drops in this critical metric.

Regularly checking your mail server configurations, staying updated on TLS protocol changes, and leveraging tools like Google Postmaster Tools can help ensure your emails always travel securely, reaching inboxes reliably and privately.