What does “TLS negotiation failed” mean?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You're scanning your delivery logs, you spot "TLS negotiation failed", and your first thought is probably: did I break something, or is this on their end? Good news: there's a fairly short checklist to work through.
TLS (Transport Layer Security) is the encryption layer that protects email in transit. When two mail servers connect, they do a quick "handshake" to agree on how to encrypt the conversation. If that handshake fails, you get this error. The email either bounces or sits in a retry queue, depending on how strictly your sending server is configured.
The four most common reasons the handshake breaks:
- Expired or invalid certificate on one of the servers. This is the most common culprit on the receiving side.
- TLS version mismatch. Your server might support TLS 1.2 and 1.3, but the other end only has an older version still enabled (or has disabled something you require).
- Cipher suite incompatibility. Both servers need at least one encryption algorithm in common. No overlap means no handshake.
- STARTTLS misconfiguration. If your sending server has "enforce TLS" turned on and the receiving server can't complete the upgrade, the message bounces with a 454 error rather than falling back to plain text.
Here's the practical question: is it your problem or theirs? Start by checking whether the error happens with one destination domain or many. If it's just one domain, the receiving server is almost certainly the issue (expired cert, misconfigured TLS). If you're seeing it across multiple domains, look inward at your own TLS configuration and certificate validity.
A few things to check on your side:
- Is your server's SSL/TLS certificate valid and not expired?
- Are you running a supported TLS version (1.2 or 1.3)? TLS 1.0 and 1.1 are retired and some receivers will refuse them.
- If you have "enforce TLS" or "require TLS" turned on for specific domains, is that still appropriate? Some receiving servers genuinely can't complete TLS, and a fallback policy might be acceptable depending on the sensitivity of your content.
If the error is clearly on the receiving end and it's affecting a domain you need to reach, your best move is to contact their postmaster. You can't fix their certificate for them. (You can document the bounce code and timestamp, which makes that conversation much easier.)
Not sure where to start with your server's TLS setup? Our Email Header Analyzer can surface authentication and encryption details from a sent message. Or if you're staring at logs that don't make sense, our SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.