How to tell if a server support TLS for secure email transmission

TLS (Transport Layer Security) is the mechanism by which two email servers, when communicating, can automatically negotiate an encrypted channel between them so that the emails transmitted are secured from eavesdroppers.

It is becoming ever more important to use a company that supports TLS for email transmission as more and more banks, health care, and other organizations who have any kind of security policy are requiring their vendors and clients to use this type of encryption for emailed communications with them. Additionally, if your email provider supports TLS for email transmission, and you are communicating with people whose providers do also, then you can be sure that all of the email traffic between you and them will be encrypted.

How do you find out if someone to whom you are sending email uses a provider who’s servers support TLS-encrypted communications? We will take you through the whole process step-by-step, but first let us note some important truths about TLS connection encryption.

  1. The use of TLS encryption is negotiated/determined each and every time two servers connect to each other to transmit your email.
  2. Just because a server supports TLS today, does not mean that it will tomorrow — server configurations can change and mistakes can be made.You can, however, be sure that an email will never be sent to someone without TLS – see Enforcing Email Security with TLS when Communicating with Banks.
  3. If your email is passed between more than one server, then the security of each server-to-server connection along the way needs to be negotiated separately.
  4. Only the recipient’s externally facing email servers can be checked for TLS support. There is no way of checking the back-end servers of a service provider’s email system to make sure TLS is supported all the way to delivery to the recipient’s mailbox.
  5. Even if the sender’s email servers and the recipient’s email servers are configured to use TLS, both parties still need to configure their email clients to connect securely to their respective servers (for the initial sending of the message, and for the final download and viewing of the message) in order to ensure that the email message is transmitted securely during its entire trek from sender to receiver.

To check for TLS you need to use a program called “telnet”, which is another command prompt utility that exists in all of the operating systems mentioned. Telnet will be used to simulate the SMTP connection to the server; once connected, we will issue the ”ehlo” command. If the server supports TLS encryption then we will see “250-STARTTLS” in the list of supported options.

The following steps will need to be repeated for every server provided by your query for MX records. To use the Telnet program type, “telnet server_name 25”, replacing “server_name” with the name of a mail server from your DNS query and press “Enter“. (25 is the standard SMTP port at which that all public inbound email servers must be listening for connections). A few lines will appear, the last starting with “220” and containing the date.

support$ telnet 25
Connected to
Escape character is ‘^]’.
220 ESMTP Sendmail 8.13.1/8.13.7; Thu, 05 Dec 2009 10:11:18 -0600

Now type “ehlo” followed by a domain name, your own domain name will work fine, and press “Enter“. If you see within the results the line, “250-STARTTLS”, then that email server is configured to support use of TLS. Here is a full example:

ehlo Hello [], pleased to meet you
250-SIZE 52428800
250 HELP
221 2.0.0 closing connection
Connection closed by foreign host.

Once again you will need to repeat this telnet step for each email server listed in the MX records to be sure that TLS support is enabled on all servers processing email for email address in that domain.

Use of TLS is good practice and very secure when you know that it is implemented through the entire chain of delivery.