Opportunistic SSL/TLS encryption on outgoing emails

Early last year, we implemented opportunistic encryption of incoming emails. We’ve now done the same thing for outgoing emails. This means that for email sent via FastMail (either the web interface or SMTP), if the receiving server advertises STARTTLS support in response to an EHLO command, we will try and negotiate a secure connection and send the email over a secure connection. However if the negotiation fails for any reason, we’ll fallback to a standard connection.

Some extra notes on this:

  • This doesn’t change what happens when sending via SMTP from your email client/software (eg. Outlook, Apple Mail, Thunderbird, etc) to the FastMail servers. Whether that connection is encrypted is controlled by your email client/software and what you configured when you set it up
  • We can’t force a remote server to use encryption, it’s only if the remote server advertises support for encryption that we try and setup a secure channel
  • This is not full end-to-end encryption of the email. The email is only encrypted during transit from our server to the other server, once it’s at their side, it’s stored in whatever form the other side stores emails. For full end-to-end encryption, you need something like PGP
  • The only way to tell if an email has gone over an encrypted connection or not is to look at the headers of the email on the received side. In other words, as a sender, it’s unfortunately not easy to tell, only the receiver can easily tell

Since this feature is only enabled if the other side advertises support for it, it shouldn’t affect sending to servers that don’t support STARTTLS, and thus shouldn’t affect the deliverability of email in any way.

Posted in Technical. Comments Off on Opportunistic SSL/TLS encryption on outgoing emails

Get every new post delivered to your Inbox.

Join 7,293 other followers

%d bloggers like this: