Email Security Intelligence - How To Keep Email Private with TLS

It is no secret that email is the preferred method of communication for businesses - a trend that has only been magnified with the increase in remote workers brought on by the pandemic. That being said, email is effectively a plaintext communication sent from email clients to receiving email servers or from one server to another, leaving the content of messages in transit vulnerable to compromise without additional protection via encryption technology such as the Transport Layer Security (TLS) standard.


Learn how TLS works to help secure email communications, and how to securely implement TLS in the Postfix mail transfer agent (MTA), Microsoft 365 Exchange Online and Google Workspace to help fortify email against spoofing and data theft.

TLS Basics: What is Transport Layer Security (TLS)?

Transport Layer Security (TLS) is a cryptographic protocol that offers end-to-end encryption technology for messages “in transit” from one secure email server that has TLS enabled to another,  helping to protect user privacy and prevent eavesdropping or content alteration. TLS is the successor protocol to SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. TLS is an Internet Engineering Task Force (IETF) standard protocol that provides authentication, privacy and data integrity between two communicating computer applications. For optimal security and privacy of message content, TLS is required between all servers handling email communications (including hops between internal and external servers). It is recommended that all clients and servers insist on mandatory usage of TLS in their email communications - preferably the most recent version, TLS 1.3.

TLS is used by leading email providers and ISPs including Google, Microsoft, Yahoo and Comcast, and is also used to secure web communications via HTTPS.

How Does TLS Help Secure Email Communications?

TLS secures email communications by encrypting messages from mail server to mail server, making it more difficult for hackers to intercept and read messages. The TLS protocol uses a combination of symmetric cryptography - where data is encrypted and decrypted with a secret key known to both sender and recipient - and asymmetric cryptography - which uses a public and private key pair to encrypt and decrypt data - to maintain a balance between performance and security. TLS supports the use of digital certificates to authenticate receiving servers (authentication of sending servers is optional), helping to prevent email fraud and data compromise by verifying that receivers (or senders) are in fact who they claim to be. “Opportunistic TLS” describes a scenario in which TLS is used by both sending and receiving parties to negotiate a secured session and encrypt a message, and represents the most secure implementation of the TLS protocol.

The widely used open-source Postfix mail transfer agent (MTA) - which has earned a reputation of being highly secure - can be configured to support TLS, giving Postfix users the ability to encrypt mail and to authenticate remote SMTP clients or servers. 

Get simplified instructions on how to configure TLS for Postfix here.

How To Setup Enforced TLS in Microsoft 365 Exchange Online?

Microsoft 365 Exchange Online offers TLS support; however, it must be set up to enforce TLS. Luckily, setting up enforced TLS in Microsoft 365 Exchange Online is quick and easy, and only requires the domain name of the organization you wish to establish enforced TLS with and a valid email address from that domain  To set up enforced TLS with a vendor, that vendor will need to configure their email server to enforce TLS as well. This mutual configuration assures that all email is encrypted and sent securely across the Internet. 

The process of setting up enforced TLS in Microsoft 365 Exchange Online Is broken up into two steps: creating an outbound TLS connector and creating an inbound TLS connector. 

You can find the steps for setting up connectors for secure mail flow with another organization in Microsoft 365 Exchange Online here.

How To Set Up TLS Compliance in Google Workspace?

Google Workspace supports TLS; however, for a secure TLS connection, TLS compliance must be set up by both the sender and the recipient. If the receiving server doesn't use TLS, Gmail still delivers messages - but the connection is not secure. By adding the Secure transport (TLS) compliance setting, Gmail always uses a secure connection for email sent to and from specified domains and email addresses. 

Learn how to set up TLS compliance in Google Workspace here.


Using and enforcing the use of TLS in your email communications must be viewed as an important part of a defense-in-depth approach to securing business email and protecting sensitive information.TLS is used by almost all leading email providers and ISPs; however, the protocol must be properly set up and configured to provide optimal security. In this article, you learned the basics on implementing TLS for Postfix, as well as in Microsoft 365 Exchange Online and Google Workspace, to help secure against sender fraud and data compromise. If you are using another MTA or email provider, would like further details, or have additional questions, a Guardian Digital email security expert would be happy to assist.

Speak with a Security Expert>

Must Read Blog Posts

Latest Blog Articles