What’s the difference between opportunistic and enforced TLS?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When an email travels from one server to another, it can go encrypted or in plain text. TLS (Transport Layer Security) is the protocol that handles that encryption. But here's the thing: not every server enforces it the same way, and that's where opportunistic TLS and enforced TLS come in.

Opportunistic TLS is the default for most email. When your server tries to connect to another server, it asks "can you do TLS?" If the answer is yes, the connection is encrypted. If the answer is no (or something goes wrong), delivery continues in plain text anyway. The email gets through. Security is attempted, but never guaranteed.

That might sound alarming, but it works well in practice. The vast majority of mail servers (including Gmail, Microsoft 365, and Yahoo Mail) support TLS. Opportunistic TLS handles the rare exceptions gracefully by letting the email through rather than failing.

Enforced TLS takes a harder line. If TLS isn't available, or if the connection fails, delivery stops. Full stop. The email does not get sent unencrypted. You'd rather have a failed delivery than an unprotected one.

So who actually uses enforced TLS? It shows up in specific situations where the content is too sensitive to ever travel in the clear. Think regulated industries (healthcare, finance), internal server-to-server routes where both ends are controlled, or dedicated partner connections where both parties have agreed on the setup. It's not something you'd apply to your general marketing or transactional email, because the first time it hits a server that struggles with TLS negotiation, your email bounces.

There's a related standard worth knowing about here. MTA-STS is a policy standard that lets domain owners publish a "please enforce TLS when sending to us" instruction in DNS. It's essentially a way of saying "we support enforced TLS, please use it" without requiring a private arrangement between two parties. If you're running your own mail infrastructure and care deeply about inbound encryption, MTA-STS is worth exploring.

For most senders using an ESP, this is handled for you already. Opportunistic TLS is on by default, and you're covered for the vast majority of connections. If you're running your own Postfix setup and want to see where you stand, the relevant config levels are smtp_tls_security_level = may for opportunistic and smtp_tls_security_level = encrypt for enforced.

Not sure how your current sending setup handles TLS? Our Email Header Analyzer can show you whether TLS was used on a given message. Or if something's broken and you need a human, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a tailored TLS recommendation

I'm setting up or reviewing my email server's TLS configuration and want to understand my options. Based on the details below, tell me whether opportunistic or enforced TLS makes more sense for my use case, what risks I should be aware of, and whether MTA-STS is relevant for my situation. 1. Type of email I'm sending (transactional, marketing, internal, regulated industry) 2. Whether I manage my own mail server or use an ESP 3. Any specific compliance requirements (HIPAA, GDPR, financial regulations) 4. Whether I've had TLS-related delivery failures before Please rank your recommendations from most to least important for my specific setup.

Edit the yellow boxes, then send to the AI of your choice.