Creating Options for More Secure Message Streams

For years, SparkPost has offered opportunistic TLS support, meaning we send encrypted traffic whenever possible. This allows us to offer a more secure product out-of-the-box while continuing to play well with others that are slow to adopt email best-practices. You can check out some statistics from a partnership between Message Systems (Us!) and Twitter a few years ago that highlights the current state of various providers’ security policies. 

As part of our commitment to being the best email solution for the world’s most security conscious organizations, we have upgraded the functionality of our IP Pools to allow StrictTLS enforcement. This means we’ll drop any message that wouldn’t be delivered using TLS. We also offer the ability to inform you of failure reasons for this drop so you can decide how best to proceed. 

SparkPost categorizes failures to use TLS one of three ways.

  1. Negotiation failed. This means that although we have no knowledge if TLS is supported by the receiving domain or not – we were unable to establish a TLS connection likely due to some misconfiguration between servers.
  2. The receiving domain signaled that it was capable of using TLS but the server responded with a 4xx to SparkPost’s STARTTLS request.
  3. TLS is not supported by the receiving domain. 

Although the latter option is becoming less common as more and more domains opt to use TLS, it is still a possibility for smaller operations. 

Combining a StrictTLS pool with an opportunistic TLS pool and leveraging SparkPost webhooks; customers can begin to implement a StrictTLS mentality without immediately dropping messages. 

Here’s one example of how this might work:

Over time, we’ll continue to provide additional, innovative options for our customers to customize and best-fit the security of their message stream. 

Interested in StrictTLS or have an idea on how we should focus efforts for our next iteration? Reach out to me directly at harold.vass@sparkpost.com or better yet – book me directly for a quick 15 minute chat using my Calendly link.

To enable this for your IP Pools, reach out to our support team.

Cheers,

Harold Vass

Technical Product Manager