How do I configure TLS encryption for sending?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

TLS (Transport Layer Security) encrypts the connection between mail servers while your email is in transit. It doesn't encrypt the email itself at rest. It protects the pipe it travels through. Configuring it correctly matters both for security and increasingly for deliverability, since some providers deprioritize or flag unencrypted connections.

And there are two flavors of TLS for email:

STARTTLS (opportunistic TLS): The server starts a plain connection, then upgrades it to encrypted if the other server supports it. This is how most email encryption works. If the receiving server doesn't support TLS, the connection falls back to unencrypted. Delivery still happens, just not encrypted. This is the approach for most outbound sending.

Implicit TLS (SMTPS, port 465): Encryption required from the start of the connection. No fallback. Less common for server-to-server mail transfer, but often used for client-to-server submission (your application sending to your MTA).

In Postfix, the key outbound TLS settings:

smtp_tls_security_level = may. Opportunistic TLS. Encrypt if possible, proceed unencrypted if not. Safe default for most outbound sending.

smtp_tls_security_level = encrypt. Mandatory TLS. Fail delivery if the receiving server doesn't support TLS. Use this only if you have a specific reason to require encryption (e.g., sending to partners with known TLS support).

For inbound TLS (receiving mail):

smtpd_tls_cert_file and smtpd_tls_key_file. Point these to your SSL certificate and private key. You need a valid certificate from a recognized authority (Let's Encrypt works and is free).

After configuring, test with our email header analyzer. Send a test email and look at the Received headers, which will show whether TLS was negotiated. You can also check MTA-STS, which lets you publish a policy requiring encrypted connections to your domain.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Learn TLS setup without breaking delivery.

I'm configuring TLS for my email server. My setup: [describe your server, MTA (Postfix/Exim), whether you have a valid SSL certificate, and what you're trying to achieve, encrypt outbound sending, accept encrypted inbound, or both]. Which TLS settings should I use for my specific situation, and what happens to my email if the receiving server doesn't support TLS?

Edit the yellow boxes, then send to the AI of your choice.