What is TLS and how does it secure email in transit?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
TLS (Transport Layer Security) is the encryption protocol that scrambles your email while it's traveling between mail servers. Think of it as putting your message in a locked box instead of a postcard anyone can read mid-flight.
When your ESP hits send, your email hops from server to server until it reaches the recipient's inbox. Without TLS, anyone with access to that path (your ISP, your recipient's ISP, any server in between) can read the message in plain text. With TLS, the connection is encrypted. Even if someone intercepts the transmission, all they see is gibberish.
But Here's what happens during a TLS handshake between two mail servers:
- The sending server (yours) connects to the receiving server and says, "Do you support TLS?"
- If yes, they negotiate which encryption method to use (there are several, and they pick the strongest one both support).
- They exchange certificates to verify each other's identity. This prevents a man-in-the-middle attack where someone pretends to be the destination server.
- Once verified, they establish an encrypted tunnel. Your email travels through that tunnel, unreadable to anyone watching.
Most modern ESPs (Mailchimp, SendGrid, Postmark, Brevo) enforce TLS by default. If you're sending through AWS SES or Mailgun, TLS is on but you can check your sending logs to confirm.
Now the critical thing TLS doesn't protect: your email sitting in someone's inbox. TLS only encrypts the journey. Once the message lands in the recipient's mailbox, it's stored in plain text (unless they use end-to-end encryption like ProtonMail). If someone hacks their Gmail account, they can read everything. TLS prevents eavesdropping in transit, not theft at rest.
How to verify TLS is working: if you're using a major ESP, it's already on. If you run your own mail server or use a legacy SMTP provider, check your server logs for "STARTTLS" (that's the command that initiates TLS). You can also send a test email to yourself and check the headers for lines like "with ESMTPS" or "TLS cipher." If you see "ESMTP" without the "S," TLS wasn't used.
Common mistake: assuming TLS means your email is private. It's more private than sending unencrypted, but mailbox providers (Gmail, Outlook, Yahoo) can still scan your message for spam, ads, or compliance once it lands. TLS protects the pipe, not the final destination.
And if you need to check whether your server enforces TLS, or if you're troubleshooting a connection error related to encryption, you can test the handshake with our Email Header Analyzer to see exactly what happened during delivery.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.