STARTTLS is an SMTP extension command (RFC 3207) that upgrades an existing plaintext connection to an encrypted TLS connection. When a sending server connects to port 25 or 587, it first communicates in plaintext, then issues the STARTTLS command to negotiate encryption before transmitting the email. This is different from implicit TLS (port 465), which starts encrypted from the first byte. STARTTLS is opportunistic by default — if the receiving server doesn't advertise it, the email sends unencrypted.
What Is STARTTLS?
STARTTLS: The Encryption Upgrade Command
STARTTLS isn't encryption itself — it's the SMTP command that says "let's switch to encryption." The connection starts in plaintext (so the servers can negotiate), then upgrades to TLS before any email content is transmitted.
This upgrade-in-place approach is what makes STARTTLS different from implicit TLS, where the connection starts encrypted from the first byte.
How STARTTLS Works
Client: EHLO sender.example.com
Server: 250-STARTTLS ← Server advertises STARTTLS support
Client: STARTTLS ← Client requests encryption
Server: 220 Ready to start TLS ← Server agrees
=== TLS Handshake === ← Encryption negotiated
Client: EHLO sender.example.com ← SMTP restarts over encrypted channel
Server: 250 OK
Client: MAIL FROM:<[email protected]>
... encrypted from here ...
The critical detail: the server must advertise 250-STARTTLS in its EHLO response. If it doesn't, the client has no way to request encryption.
The Downgrade Attack Problem
Because STARTTLS negotiation happens in plaintext, a network attacker can modify the server's EHLO response to remove the STARTTLS advertisement. The sending server sees no TLS support and delivers in plaintext.
This is called a STARTTLS stripping attack, and it's the fundamental weakness of opportunistic encryption.
Solutions
- MTA-STS: Domain publishes a policy via HTTPS requiring TLS. Sending servers cache this policy and refuse plaintext delivery.
- DANE (TLSA records): DNS publishes the expected TLS certificate. Sending servers verify the certificate matches, preventing both stripping and certificate substitution. Requires DNSSEC.
STARTTLS vs. Implicit TLS
| Feature | STARTTLS | Implicit TLS |
|---|---|---|
| Port | 25, 587 | 465 |
| Connection start | Plaintext | Encrypted |
| Upgrade | Explicit command | Not needed |
| Downgrade risk | Yes | No |
| Server-to-server | Standard | Rare |
| Client-to-server | Port 587 | Port 465 |
For server-to-server email delivery (MX traffic), STARTTLS on port 25 is the universal standard. Implicit TLS on port 465 is primarily used for client submission (your email app connecting to your mail server).
Configuration
Postfix STARTTLS configuration:
# Inbound (receiving) STARTTLS
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
# Outbound (sending) STARTTLS
smtp_tls_security_level = may
smtp_tls_loglevel = 1
may means opportunistic — use TLS if available, fall back to plaintext if not. Change to encrypt to require TLS (breaks delivery to non-TLS servers).
Practitioner note: I check STARTTLS support on every mail server I audit. The most common issue isn't missing STARTTLS — it's misconfigured certificates. Self-signed or expired certs cause some sending servers to fall back to plaintext silently. Use a valid Let's Encrypt cert and set up auto-renewal.
Practitioner note: If you're on a self-hosted server and want to go beyond opportunistic STARTTLS, implement MTA-STS. It takes 15 minutes to set up and eliminates downgrade attacks for your inbound email. DANE is stronger but requires DNSSEC, which most domains don't have.
If your mail server's STARTTLS configuration needs verification, schedule a consultation — I'll test your TLS setup and close any encryption gaps.
Sources
- RFC 3207: SMTP Service Extension for Secure SMTP over TLS
- RFC 8461: MTA-STS
- RFC 7672: SMTP Security via DANE
- Google: Email Encryption in Transit Report
v1.0 · April 2026
Frequently Asked Questions
Is STARTTLS the same as TLS?
No. TLS is the encryption protocol. STARTTLS is the SMTP command that initiates TLS on a connection that started as plaintext. Think of STARTTLS as the 'switch to encrypted mode' command within an SMTP conversation.
What port does STARTTLS use?
STARTTLS works on port 25 (server-to-server) and port 587 (client-to-server submission). Port 465 uses implicit TLS instead — the connection starts encrypted without needing STARTTLS.
Is STARTTLS secure?
It provides encryption in transit, but it's vulnerable to downgrade attacks — a man-in-the-middle can strip the STARTTLS capability from the server's response, forcing plaintext delivery. MTA-STS and DANE solve this by letting domains enforce TLS requirements.
What happens if STARTTLS fails?
By default, the sending server falls back to plaintext delivery. The email still sends — just unencrypted. This is opportunistic TLS. You can configure your server to require TLS (no fallback), but this may cause delivery failures to servers that don't support it.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.