Understanding SSL, TLS, and STARTTLS Email Encryption

SSL, TLS, and STARTTLS refer to standard protocols used to secure email transmissions.

SSL (Secure Sockets Layer) and its successor, Transport Layer Security (TLS), provide a way to encrypt a communication channel between two computers over the Internet. In most cases, the terms SSL and TLS can be used interchangeably unless you’re referring to a specific version of the protocol.

Because TLS and SSL are application-layer protocols, senders and receivers need to know that they are being used to encrypt emails during transit. That’s where STARTTLS comes into play.

STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one. (By the way, the use of “TLS” in the STARTTLS command name does not mean that it only works with the TLS security protocol. It works with SSL too.)

How does SSL work?

When an email client sends and receives email, it uses TCP (Transmission Control Protocol) via the transport layer to initiate a “handshake” with the email server. During that basic setup process, the email client tells the email server which version of SSL or TLS it’s running and what cipher suites (a combination of processes used to negotiate security settings) and compression methods it wants to use.

After the setup is finished, the email server verifies its identity to the email client by sending a certificate that is trusted by the user’s software, or by a third party trusted by it. Doing so ensures that the email client isn’t sending messages to an imposter. Once the client knows it can trust the server, a key is exchanged between the two, which allows all messages sent and received to be encrypted.

Why should you care about SSL or TLS?

It’s important to use SSL or TLS with your email setup because unsecure email is a common attack vector for the bad guys. Anyone who intercepts encrypted emails is left with garbage text that they can’t do anything with, because only the email server and client have the keys to decode the messages.

This is key for ensuring the protection of user names, passwords, personal details, and other sensitive information that’s often found in emails. If an attacker discovers a weakness, they will exploit it for as long as they can and mine data that will be sold on the black market.

TLS is the preferred encryption method because it’s newer and offers more robust security features than SSL does.

It’s also a good idea to combine TLS-based email encryption with email authentication to ensure the integrity of email messages.

How does SparkPost use SSL, TLS, and STARTTLS?

SparkPost’s incoming API calls use HTTPS (the secure version of HTTP) and are SSL/TLS encrypted. If you choose to enable Encryption: STARTTLS, then TLS will be used with incoming SMTP. SparkPost also uses opportunistic TLS for outbound messages, meaning that it uses TLS to encrypt them if the receiving SMTP server supports TLS.

Learn More about SSL, TLS, and STARTTLS

Read additional SSL, TLS, and STARTTLS resources

Here are some resources that will help you dig deeper into SSL, TLS, and STARTTLS:

Get help with SSL, TLS, and STARTTLS on SparkPost

The SparkPost Support Center is a good place to start learning about SparkPost in general.

More Essential Email Resources

Develop your email industry expertise and master best practices with SparkPost’s email resources.

Email Best Practices 101

This email boot camp will help you to increase the ROI of your email operations with 15 proven tactics for boosting email deliverability.

read more

The Big Rewards of Email Deliverability

Learn how third-party data shows the deliverability difference between SparkPost and also-ran cloud service providers yields hard, bottom-line benefits.

read more

Inside the Email Deliverability Lab

This practical course is a great way to get started understanding email deliverability and how to measure email performance.

read more