Glossary

TLS Encryption for Email — STARTTLS and MTA-STS

TLS (Transport Layer Security) encrypts the connection between mail servers when email is in transit. Most modern mail servers support STARTTLS, which upgrades a plain text connection to encrypted. However, STARTTLS can be stripped by a network attacker unless MTA-STS is configured — forcing the connection to use TLS or fail rather than fall back to plain text.

STARTTLS vs Forced TLS

STARTTLS: opportunistic — tries TLS,
falls back to plain text if unavailable.
MTA-STS: enforced — requires TLS or
refuses delivery.

Why TLS Alone Isn't Enough

Without MTA-STS, a network attacker between two mail servers can strip the STARTTLS upgrade and intercept email in plain text. The connection appears normal to both servers.

Also read: MTA-STS · DMARC

FAQ

What is TLS for email?

Encryption for email in transit between mail servers. Prevents interception during delivery.

What is STARTTLS?

An email protocol extension that upgrades a plain text connection to TLS. Opportunistic — can be stripped by attackers without MTA-STS.

How do I enforce TLS for my domain?

Implement MTA-STS — it tells sending servers to use TLS or refuse delivery, preventing silent downgrades.

← All glossary terms