How do I configure TLS encryption for sending?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
TLS (Transport Layer Security) encrypts the connection between mail servers while your email is in transit. It doesn't encrypt the email itself at rest. It protects the pipe it travels through. Configuring it correctly matters both for security and increasingly for deliverability, since some providers deprioritize or flag unencrypted connections.
And there are two flavors of TLS for email:
STARTTLS (opportunistic TLS): The server starts a plain connection, then upgrades it to encrypted if the other server supports it. This is how most email encryption works. If the receiving server doesn't support TLS, the connection falls back to unencrypted. Delivery still happens, just not encrypted. This is the approach for most outbound sending.
Implicit TLS (SMTPS, port 465): Encryption required from the start of the connection. No fallback. Less common for server-to-server mail transfer, but often used for client-to-server submission (your application sending to your MTA).
In Postfix, the key outbound TLS settings:
smtp_tls_security_level = may. Opportunistic TLS. Encrypt if possible, proceed unencrypted if not. Safe default for most outbound sending.
smtp_tls_security_level = encrypt. Mandatory TLS. Fail delivery if the receiving server doesn't support TLS. Use this only if you have a specific reason to require encryption (e.g., sending to partners with known TLS support).
For inbound TLS (receiving mail):
smtpd_tls_cert_file and smtpd_tls_key_file. Point these to your SSL certificate and private key. You need a valid certificate from a recognized authority (Let's Encrypt works and is free).
After configuring, test with our email header analyzer. Send a test email and look at the Received headers, which will show whether TLS was negotiated. You can also check MTA-STS, which lets you publish a policy requiring encrypted connections to your domain.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.