What is TLS?
TLS (Transport Layer Security) is a protocol that encrypts the connection between two mail servers when transferring an email. It ensures that the email content can’t be read or tampered with by anyone intercepting the traffic between the sender and recipient’s servers. TLS protects emails in transit — while they’re being transmitted from one server to another. It does not encrypt the email at rest (stored on the server).How TLS works in email
When SendKit sends an email to a recipient’s mail server, the two servers perform a TLS handshake:SendKit initiates connection
SendKit’s server connects to the recipient’s mail server and announces TLS support.
Encrypted connection established
Both servers agree on encryption parameters and establish a secure channel.
TLS modes in SendKit
SendKit supports two TLS modes per domain, configurable from the Configuration tab on your domain detail page:Opportunistic TLS (default)
SendKit attempts a TLS connection. If the recipient’s server supports TLS, the email is sent encrypted. If it doesn’t, the email falls back to an unencrypted connection.| Recipient supports TLS | What happens |
|---|---|
| Yes | Email sent encrypted |
| No | Email sent unencrypted |
Enforced TLS
SendKit requires a TLS connection. If the recipient’s server doesn’t support TLS, the email is not sent and returns an error.| Recipient supports TLS | What happens |
|---|---|
| Yes | Email sent encrypted |
| No | Email rejected — not delivered |
TLS versions
TLS has gone through several versions:| Version | Status |
|---|---|
| TLS 1.0 | Deprecated — insecure |
| TLS 1.1 | Deprecated — insecure |
| TLS 1.2 | Widely supported, secure |
| TLS 1.3 | Latest, most secure and fastest |
MTA-STS
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that lets a domain declare that it supports TLS and that sending servers should refuse to deliver email without encryption. It’s similar to HSTS for websites — it prevents downgrade attacks where an attacker forces an unencrypted connection. If a recipient’s domain publishes an MTA-STS policy, SendKit respects it and will only deliver over TLS, regardless of your domain’s TLS mode setting.DANE
DANE (DNS-based Authentication of Named Entities) is another standard for securing email transport. It uses DNSSEC to publish the recipient server’s TLS certificate in DNS, preventing man-in-the-middle attacks even if a certificate authority is compromised. DANE is less widely deployed than MTA-STS but provides stronger guarantees. SendKit supports DANE when the recipient’s domain has it configured.Checking TLS in email headers
You can verify that TLS was used by checking the email headers. Look for theReceived header:
ESMTPS indicates TLS was used (vs ESMTP for unencrypted). The version and cipher suite are also shown.
FAQ
Does TLS mean my emails are end-to-end encrypted?
Does TLS mean my emails are end-to-end encrypted?
No. TLS encrypts emails in transit between servers. Once the email arrives at the recipient’s server, it’s decrypted and stored. The recipient’s email provider (and potentially their administrator) can read it. For end-to-end encryption, you’d need something like PGP or S/MIME, which are not related to TLS.
Should I use enforced TLS?
Should I use enforced TLS?
For most senders, opportunistic TLS is the right choice. It encrypts when possible without risking delivery failures. Use enforced TLS only if your compliance or security requirements mandate that no email be sent unencrypted, and you accept that some recipients may not receive your emails.
How many email servers support TLS today?
How many email servers support TLS today?
The vast majority. Google reports that over 95% of inbound email to Gmail is encrypted with TLS. Major providers like Outlook, Yahoo, and iCloud all support TLS. The remaining percentage is mostly small, self-hosted, or legacy mail servers.