Email Infrastructure

SMTP TLS & STARTTLS

Encrypt email in transit between mail servers — and understand the difference between opportunistic and enforced TLS.

⚡ Monitored by EmailExacto Intelligence
Overview

What is SMTP TLS & STARTTLS?

SMTP TLS encrypts email as it travels between mail servers, preventing interception and tampering in transit. STARTTLS is the SMTP extension that upgrades an unencrypted connection to encrypted mid-session. Opportunistic TLS uses encryption when both sides support it but falls back to plaintext if negotiation fails. Over 95% of email to and from Gmail now travels over TLS.

Technical Details

How It Works

When two servers connect, the receiver advertises STARTTLS in its EHLO response. The sender issues STARTTLS to upgrade the connection.

Opportunistic TLS: uses encryption when available, falls back to plaintext on failure. Protects against passive eavesdropping but not active downgrade attacks.

Enforced TLS (via MTA-STS): the sending server refuses to deliver if TLS is unavailable or the certificate is invalid — no fallback. Prevents downgrade attacks but requires MTA-STS to communicate the enforcement requirement.

Deliverability Impact

Why It Matters

Opportunistic TLS is vulnerable to active attacks that strip the TLS upgrade command. MTA-STS closes this gap for inbound mail. Both Google and Microsoft have required TLS for transmission in their sender requirements since 2023/2024. An expired or misconfigured certificate in enforce mode will stop mail flow entirely.

EmailExacto

How EmailExacto Helps

TLS Enforcement in EmailExacto

EmailExacto's email infrastructure operates TLS on all connections and enforces MTA-STS for inbound delivery to emailexacto.net.

  • MTA-STS enforce mode — all inbound delivery requires valid TLS
  • TLS-RPT monitoring — receives and parses TLS failure reports
  • TLS-RPT contributes 7 points to your deliverability score
  • Daily TLS-RPT digest shows session success rates and failure breakdown
See EmailExacto Intelligence →
Best Practices

What to Get Right

Ensure your mail server supports STARTTLS and has a valid, unexpired TLS certificate.

Deploy MTA-STS to enforce TLS for inbound delivery.

Pair MTA-STS with TLS-RPT to detect when senders fail TLS requirements.

Use TLS 1.2 or higher — TLS 1.0 and 1.1 are deprecated.

Monitor certificate expiry — lapsed certificates in enforce mode stop mail flow.

Review TLS-RPT reports after adding MTA-STS to identify senders that can't complete TLS.

Keep Learning

Related Topics

Infrastructure
MTA-STS
Infrastructure
TLS-RPT
Infrastructure
Reverse DNS & PTR Records
Infrastructure
Email Header Analysis
Email Authentication
DMARC
Free Weekly Training

Get a Free Email Deliverability Lesson Every Week

Expert-written training delivered to your inbox every Tuesday. No spam. Unsubscribe anytime.

Join thousands of senders building better email habits.