What are SSL/TLS handshake failures?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You hit send, your server reaches out to the receiving server, and before a single byte of email gets transferred, the two systems have to agree on how to encrypt the connection. That negotiation is the TLS handshake. When it fails, the email either can't be delivered at all or falls back to an unencrypted connection, depending on how strict both sides are.

Think of it as two people trying to shake hands but one extends their right hand and the other expects a fist bump. Neither move connects, and the whole thing stalls.

There are four common reasons a handshake breaks down. An expired certificate is the most frequent culprit: the receiving server's certificate has passed its validity date and your sending server refuses to trust it. A certificate mismatch happens when the certificate's registered name doesn't match the hostname your server is connecting to (more on that in the next question about certificate mismatches). Protocol incompatibility means one side supports TLS 1.2 or 1.3 and the other only speaks an older version. And a cipher suite mismatch means the two servers can't agree on a shared encryption algorithm, even if they agree on the protocol version.

What happens to your email when the handshake fails depends on the sending server's policy. If opportunistic TLS is in play, the connection might fall back to plaintext and the email delivers without encryption. That's not ideal from a security standpoint, but at least it arrives. If the policy requires strict TLS (which is increasingly common), the connection drops and you'll typically see a 454 error code or a similar temporary failure bounce.

One thing worth knowing: most of the time, this isn't your fault. The handshake failure usually lives on the receiving server's side, an expired certificate they haven't renewed, a misconfigured hostname, or an old TLS version still running. You can check your own TLS configuration is up to date, but if the problem only occurs with one specific receiving domain, it's almost certainly theirs to fix.

If you're seeing this error repeatedly and you're stuck, drop a message through our SOS hotline and we'll help you read the bounce details and figure out whose server actually needs attention.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Diagnose my handshake failure

We're seeing SSL/TLS handshake failures when sending to a specific domain. Based on the error details, help me figure out the most likely cause (expired cert, protocol mismatch, cipher suite issue, or hostname mismatch) and whether this is something we need to fix on our end or report to the receiving domain. Also tell me what a 454 error in this context actually means for delivery.

Edit the yellow boxes, then send to the AI of your choice.