What is TLS encrypted email traffic and what causes a drop in its percentage?

Key findings

• Encryption standard: TLS is the modern encryption protocol, succeeding SSL, designed to secure data in transit between email servers.
• Data protection: Its primary role is to encrypt communication between sending and receiving MTAs, safeguarding email content from snooping.
• Ideal percentage: For optimal security and trust, nearly all (98-100%) of your email traffic should be TLS encrypted.
• Monitoring: Metrics available in tools like Google Postmaster Tools (GPT) provide insight into the percentage of your email sent or received over TLS.

Key considerations

• ESP responsibility: Your Email Service Provider (ESP) or Mail Transfer Agent (MTA) is responsible for properly implementing and maintaining TLS encryption. Unexpected drops often point to issues on their end.
• Outdated protocols: A drop can be caused by the deprecation of older TLS versions (e.g., TLS 1.0 or 1.1) by recipient servers, forcing unencrypted fallback if your MTA hasn't updated. For more on this, consult resources on TLS basics.
• Impact on deliverability: While email encryption is not strictly required for delivery, major mailbox providers increasingly favor encrypted connections. A low TLS percentage can negatively impact your sender reputation and email deliverability.
• Troubleshooting steps: Investigate immediately by contacting your ESP, checking for unauthenticated mail streams (though TLS is separate from DMARC, as discussed in our guide to DMARC, SPF, and DKIM), or considering if recent changes to your sending setup could be a factor.

Key opinions

• Sudden drops: Many marketers report experiencing abrupt declines in TLS encryption percentages from typical levels (98-100%) to significantly lower rates (e.g., 40%).
• MTA issues: A common consensus among marketers is that such drops are often indicative of a fault or misconfiguration at the sending Mail Transfer Agent (MTA) level.
• Temporary nature: When TLS percentages revert to normal quickly (e.g., the next day), it suggests that an issue was promptly identified and resolved by the email service provider.
• Scope of metrics: Marketers understand that TLS metrics (like those in Google Postmaster Tools) refer exclusively to the transport-level encryption between MTAs, not the use of HTTPS links within the email content itself.

Key considerations

• Immediate investigation: Upon observing a significant drop, the first step for marketers should be to contact their ESP to diagnose any server-side problems.
• Diverse sending streams: Consider whether your domain sends emails from multiple sources; some streams might not be configured for TLS, leading to a blended lower percentage.
• Authentication impact: While TLS is distinct from DMARC, monitoring DMARC reports can sometimes help identify unauthenticated mail streams that may also lack encryption, which can affect your overall domain reputation.
• Consistent monitoring: Regularly check your TLS encryption rates, especially within platforms like Google Postmaster Tools, to catch and address drops quickly.

Key opinions

• Confidentiality: Experts affirm that TLS effectively encrypts the entire communication channel between the sending and receiving email servers, preventing third parties from intercepting and reading email content.
• Security best practice: It is considered a critical security best practice to encrypt all possible email traffic using TLS to protect sensitive information.
• Version obsolescence: The deprecation of older TLS versions (e.g., 1.0, 1.1) means that MTAs must support newer versions to avoid falling back to unencrypted connections when communicating with up-to-date recipient servers.
• Indirect deliverability impact: While not directly a blocking factor, unencrypted email connections can raise suspicion with recipient mail servers, potentially leading to lower inbox placement or heightened spam filtering, as discussed in our guide on why emails fail.

Key considerations

• MTA configuration: It is crucial to ensure that your Mail Transfer Agent or ESP's infrastructure is configured to support and prioritize the most current and secure TLS versions, such as TLS 1.2 or 1.3.
• Recipient server readiness: Be aware that recipient mail servers may update their systems, causing issues if your sending infrastructure isn't compatible with their latest TLS requirements.
• Comprehensive security: While essential, TLS is one part of a larger security ecosystem. It should be used in conjunction with other authentication protocols like SPF, DKIM, and DMARC for robust email security, as outlined in guides such as understanding DMARC reports.
• Proactive monitoring: Regularly monitor your TLS encryption rates to quickly detect any drops and take corrective action to prevent long-term negative impacts on your sender reputation and inbox placement.

Key findings

• SMTP TLS importance: Documentation confirms SMTP TLS encryption is the standard method for securing email delivery, providing essential data protection.
• Transparency: Platforms like Google Postmaster Tools clearly outline how their encryption dashboards track both TLS Inbound (to Gmail) and TLS Outbound (from Gmail) percentages for given domains.
• Protocol updates: Technical standards evolve, with older TLS versions (e.g., 1.0, 1.1) being deprecated due to security vulnerabilities, emphasizing the need for newer versions like TLS 1.2 and 1.3.
• Error reporting: Standards like TLS-RPT (TLS Reporting) are designed to enable servers to report issues or failures during the TLS encryption handshake, aiding in diagnostics.

Key considerations

• Maintain current protocols: Ensure your mail servers are configured to use and prioritize the most up-to-date TLS protocols to guarantee secure and successful connections with recipient servers.
• Certificate validity: Proper management of SSL/TLS certificates, including checking for expiration or key size errors, is vital for establishing successful TLS connections. More details can be found at The SSL Store.
• Vulnerability to interception: Official sources repeatedly warn that without TLS, email content is transmitted in plaintext, making it highly vulnerable to passive network interception and privacy breaches.
• Interoperability issues: Incompatibility between sending and receiving server TLS configurations can lead to a dropped encryption rate, which may be reflected in email deliverability reports.