Why It Matters
Without SSL/TLS, your emails travel across the internet as plain text — readable by anyone who intercepts them. That includes login credentials, message content, and attachments. Google has publicly stated that TLS is a positive signal for email deliverability. As of 2024, over 90% of inbound Gmail traffic uses TLS encryption. If your server doesn't support it, you're in the shrinking minority that looks suspicious.
How It Works
When two email servers connect, they negotiate encryption through a TLS handshake. The most common method is STARTTLS, which upgrades a plain-text connection to encrypted. The sending server says "I support TLS," the receiving server responds with its certificate, they agree on encryption parameters, and the session proceeds securely. If TLS negotiation fails, most servers fall back to unencrypted delivery rather than dropping the message — which is called "opportunistic TLS."
Quick Tips
- Use port 587 with STARTTLS for email submission — it's the recommended standard.
- Configure your server to require TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated and have known vulnerabilities.
- Check your TLS configuration at checktls.com to make sure your certificate is valid and properly installed.
- If you want to enforce TLS and prevent fallback to unencrypted delivery, look into MTA-STS (Mail Transfer Agent Strict Transport Security).