TLS (Transport Layer Security) encrypts email as it travels between mail servers, preventing third parties from reading or modifying messages in transit. In email, TLS is typically initiated via STARTTLS — an SMTP command that upgrades a plaintext connection to encrypted. Google reports that over 90% of inbound Gmail traffic now uses TLS. While not yet universally required, Gmail flags emails received without TLS and MTA-STS allows domain owners to enforce mandatory TLS.
What Is TLS in Email?
TLS: Encryption in Transit
TLS encrypts the connection between two mail servers during SMTP delivery. Without TLS, email travels in plaintext — readable by anyone with network access between the sending and receiving servers.
This isn't about encrypting the email itself (that's end-to-end encryption like PGP/S/MIME). TLS encrypts the pipe the email travels through. Once delivered, the email sits unencrypted on the receiving server.
How TLS Works in Email
Sending Server Receiving Server
| |
|--- EHLO mail.example.com ------->|
|<-- 250 STARTTLS ----------------|
|--- STARTTLS -------------------->|
|<== TLS Handshake ===============>|
|=== Encrypted SMTP Session ======>|
|=== MAIL FROM, RCPT TO, DATA ===>|
The key step is STARTTLS — the command that upgrades the connection from plaintext to encrypted. Both servers must support TLS for encryption to occur.
Opportunistic vs. Enforced TLS
Opportunistic TLS (Default)
The sending server attempts STARTTLS. If the receiving server supports it, the connection encrypts. If not, email sends in plaintext. This is how most email works — best-effort encryption.
Enforced TLS (MTA-STS)
MTA-STS allows domain owners to publish a policy requiring TLS for inbound email. If a sending server can't establish TLS, the email is not delivered rather than falling back to plaintext.
TLS Adoption
Google's Transparency Report shows TLS adoption for Gmail:
| Direction | TLS Usage |
|---|---|
| Inbound to Gmail | ~96% |
| Outbound from Gmail | ~96% |
The remaining 4% is shrinking. Non-TLS email increasingly comes from legacy systems, misconfigured servers, and regions with older infrastructure.
Configuring TLS
For self-hosted servers, you need:
- A valid TLS certificate — Let's Encrypt provides free certificates
- TLS enabled in your MTA — Postfix example:
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem smtpd_tls_security_level = may smtp_tls_security_level = may - Modern TLS versions — disable TLS 1.0/1.1:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
Practitioner note: Every self-hosted mail server I set up gets TLS configured on day one. There's no reason to skip it — Let's Encrypt certificates are free and auto-renew. A mail server without TLS in 2026 is like a website without HTTPS: technically functional, practically unacceptable.
Practitioner note: The sneaky TLS failure I see most often: expired certificates. Let's Encrypt certs expire every 90 days. If your auto-renewal cron breaks and nobody notices, your server falls back to plaintext — silently degrading security for all your email.
If your mail server's TLS configuration needs auditing or you want to implement MTA-STS, schedule a consultation — I'll verify your encryption setup end-to-end.
Sources
- RFC 8446: TLS 1.3
- RFC 3207: SMTP STARTTLS Extension
- Google: Email Encryption in Transit
- Let's Encrypt: Getting Started
v1.0 · April 2026
Frequently Asked Questions
Is email encrypted by default?
In transit, mostly yes — over 90% of email between major providers uses TLS. But TLS is opportunistic by default: if the receiving server doesn't support it, the email sends in plaintext. At rest, encryption varies by provider. End-to-end encryption (like PGP) is rare in commercial email.
What's the difference between TLS and STARTTLS?
TLS is the encryption protocol. STARTTLS is the SMTP command that initiates a TLS upgrade on an existing plaintext connection (port 25 or 587). There's also implicit TLS on port 465, which starts encrypted without the STARTTLS handshake. See our STARTTLS definition for details.
Does TLS affect deliverability?
Not directly as a filtering signal — yet. But Gmail displays a red open lock icon for emails received without TLS, which erodes recipient trust. As TLS adoption approaches 100%, non-TLS senders will increasingly stand out as suspicious.
How do I check if my server supports TLS?
Use CheckTLS.com or MXToolbox's SMTP diagnostic. Send a test email to a Gmail account and check the headers for 'TLS' in the Received: lines. Or connect manually: 'openssl s_client -starttls smtp -connect mail.yourdomain.com:25'.
What TLS version should my server use?
TLS 1.2 minimum. TLS 1.3 preferred. TLS 1.0 and 1.1 are deprecated and increasingly rejected. Check your server configuration and disable older versions.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.