Which email service providers do not support TLS?

Key findings

• Widespread adoption: Most modern email providers, including major ones like Gmail, Outlook, and Yahoo, widely support TLS for email encryption.
• Deprecation of older TLS: Older TLS versions (1.0 and 1.1) were largely deprecated in 2020 and are no longer used by most leading ESPs, with TLS 1.2 and 1.3 being the current standards.
• Legacy systems: Some legacy email services or smaller, regional providers may still lack support for modern TLS or even any TLS at all, leading to unencrypted email delivery or bounces when forced TLS is enabled. An example identified in discussions is tiscali.it.
• Transparency reports: Resources like the Google Transparency Report offer insights into the percentage of emails encrypted by TLS for various domains.
• Impact on deliverability: If a sender configures their mail server to strictly enforce TLS, emails sent to recipients without TLS support will fail to deliver, resulting in bounces. This is critical for outbound TLS for email marketing.

Key considerations

• Security implications: Sending emails to providers without TLS means the communication will be unencrypted and vulnerable to eavesdropping, posing a significant privacy and security risk.
• Deliverability challenges: Forcing TLS (mandatory TLS) is a good security practice, but it will lead to failed deliveries for recipients on non-TLS supporting servers. This needs to be considered when configuring TLS on sending domains.
• Identifying non-compliant domains: It can be challenging to identify specific email domains that do not support TLS without comprehensive testing. Tools like CheckTLS can assist in this process.
• Adapting to new standards: As security standards evolve, email senders must regularly review their configurations to ensure compliance with modern TLS requirements to maintain optimal email deliverability.

Key opinions

• Testing for bounces: Marketers actively seek ways to test their mail servers' forced TLS settings by sending to recipients known not to support TLS, aiming to trigger a bounce and confirm behavior.
• Identifying legacy domains: Specific older domains, like @btopenworld.com, or certain government mail systems have been noted for not supporting TLS.
• Tool reliance: Tools that can test receiver TLS support are highly valued for diagnosing potential issues before widespread deployment.
• Evolving standards: Many discussions revolve around the shift from TLS 1.0/1.1 to 1.2/1.3, highlighting the need for systems to keep pace with these changes.

Key considerations

• Unintended delivery failures: Enforcing strict TLS can lead to unexpected email delivery failures if recipients are on non-compliant systems, impacting email deliverability.
• Understanding bounce codes: Interpreting bounce messages, such as 'STARTTLS is not available,' is crucial for troubleshooting deliverability problems related to TLS.
• Gmail's opportunistic TLS: Marketers note that Gmail will still deliver messages even if the receiving server doesn't use TLS, but the connection will not be secure, affecting TLS encrypted email traffic.
• Maintaining security: The push for TLS 1.2 and newer versions by major providers means older systems must be updated or email exchanges will occur over insecure channels.

Key opinions

• Near universal STARTTLS: Many experts cite high percentages (e.g., over 90%) of mail servers supporting STARTTLS, making complete non-support highly unusual for active domains.
• Security priority: The secure transmission of email via TLS is considered a fundamental security practice, reducing the risk of data interception. This affects how TLS inbound affects email deliverability.
• Legacy outlier: While rare, any remaining non-TLS supporting providers are typically older, less maintained systems or those in regions with different digital infrastructure priorities.
• Forced TLS implications: Experts advise that if a sender forces TLS, they must be prepared for delivery failures to any recipient domains that lack the necessary support.

Key considerations

• Data exposure: Sending unencrypted email exposes sensitive information to potential interception by third parties.
• Compliance: Many regulatory frameworks now implicitly or explicitly require encrypted communication, making TLS non-compliance a legal risk.
• Sender reputation impact: Major email providers (MBPs) prioritize security; sending unencrypted emails, if detected, could negatively impact a sender's email domain reputation over time.
• Migration strategies: Organizations with older systems need strategies to migrate to TLS-compliant infrastructure or risk deliverability failures as more MBPs enforce strict TLS.

Key findings

• Deprecation timelines: TLS versions 1.0 and 1.1 were officially deprecated in 2020, and major providers have subsequently ceased supporting them for email.
• Current standards: TLS 1.3 is the latest protocol, with TLS 1.2 being widely adopted as a minimum requirement for secure email communication by most providers.
• Major provider compliance: Entities like Microsoft, Yahoo, and various national cybersecurity centers (NCSC-UK, NCSC-NL) have disabled or strongly recommend against using older TLS versions.
• Conditional delivery: Some systems, like Gmail, might still deliver messages if TLS is not available at the recipient's end, but the connection will not be secure, highlighting the difference with opportunistic TLS.

Key considerations

• Mandatory updates: Email service providers must ensure their infrastructure supports current TLS versions to avoid deliverability issues and security vulnerabilities, as outlined in the updated Google bulk sender guidelines.
• Security best practices: Adhering to modern TLS protocols is a critical security best practice for all email senders and receivers to protect data in transit.
• Configuration for privacy: Configuring email systems to require TLS ensures that messages are encrypted, preventing clear-text transmission and enhancing privacy.
• Understanding STARTTLS: Documentation often clarifies that STARTTLS allows an unencrypted connection to be upgraded to an encrypted one, but if the upgrade fails, delivery may proceed unencrypted unless strict TLS is enforced. This contrasts with SSL/TLS key size errors.