What is encryption in transit?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

So when When you hit send, your email doesn't teleport straight into someone's inbox. It hops from server to server, like a letter passing through multiple post offices. Encryption in transit means those connections between servers are locked down so nobody can read your message while it's moving.

The protocol that does this is called TLS (Transport Layer Security). When your mail server connects to the recipient's mail server via SMTP, TLS wraps that connection in encryption. The SMTP handshake starts with a STARTTLS command, which tells both servers to switch from plaintext to encrypted mode before any message content gets sent.

Years ago, TLS was "opportunistic". Servers would try to encrypt but fall back to plaintext if the other side didn't support it. That's not true anymore. Gmail, Outlook, and every major mailbox provider now require TLS. If your server can't encrypt the connection, they'll reject the email entirely. Gmail even shows a broken lock icon on messages that arrived without encryption.

What this means for you as a sender: if you're using a modern ESP (Mailchimp, SendGrid, Postmark, whatever), TLS is already on. You don't configure it. It's baked in. If you're running your own mail server, you need to make sure TLS is enabled and you're using current ciphers. Old TLS versions (1.0, 1.1) are deprecated and some mailboxes reject them now.

But The catch: TLS only protects the message while it's traveling between servers. Once it lands in the recipient's inbox, it sits there unencrypted (that's encryption at rest, a different thing). If you need end-to-end encryption where only the sender and recipient can read it, you're looking at PGP or S/MIME, which are much rarer and require setup on both sides.

How to check if your emails are using TLS: look at the email headers. There's usually a line like Received: from mail.example.com... with ESMTPS or with ESMTPS id.... The "S" means TLS was used. You can paste full headers into our free header analyzer and it'll show you exactly which hops were encrypted.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get setup help from our AI →

I read this on the Email Almanac about encryption in transit (TLS): "Encryption in transit means the connections between mail servers are locked down so nobody can read your message while it's moving. TLS (Transport Layer Security) wraps the SMTP connection in encryption. Modern ESPs handle this automatically, but if you run your own server, you need to make sure TLS is enabled and using current ciphers. TLS only protects messages in transit, once the email lands in an inbox, it's stored unencrypted unless the recipient uses encryption at rest." Help me figure out how this applies to MY setup. I need: 1. Is TLS already enabled for my emails? (How do I check?) 2. Do I need to configure anything? (Or does my ESP handle it?) 3. What are the common TLS mistakes that break delivery? (Old ciphers, expired certs, etc.) 4. How do I verify my emails are actually being encrypted in transit? (Reading headers, checking logs) --- My details (fill in what applies, the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, SendGrid, Postmark, custom SMTP server - Domain(s): your sending domain(s) - Sending volume: e.g. 5,000/month or 500/day - Infrastructure: using an ESP vs. running my own mail server - Current challenge: [describe what prompted this question, delivery failures, security audit, etc.]

Edit the yellow boxes, then send to the AI of your choice.