Ever wonder how email gets sent securely from one server to another? when we use simple mail transfer protocol (smtp) to send mail, we rely on a combination of starttls and transport layer security (tls) or secure sockets layer (ssl) to encrypt our mail and help it get there safely to the inbox.
but what is starttls?
starttls is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using tls or ssl. starttls is used with smtp and imap, while pop3 uses a slightly different command for encryption, stls.
We’ll dive into the differences between tls and ssl, the starttls process, and how to test starttls for your program.
how does starttls work?
tls vs. ssl
Although “tls” is in its name, starttls works with both the tls and ssl encryption protocols.
Although starttls works with both protocols, we recommend using tls over ssl. ssl is an older protocol and is not as secure as its successor, tls. sslv2 and sslv3 have been deprecated.
for reference, here is a list of ssl and tls protocols from oldest to newest:
sslv2, sslv3, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
Both the email client and the email server must agree on which connection to use. email client can support tlsv1.3, but email server can only support up to tlsv1.2. this means both parties will need to use tlsv1.2 to continue encryption.
For even more information on tls vs. ssl, check out our docs page.
the starttls process
smtp always starts unencrypted. the starttls command starts the negotiation between the server and the client. here is a summary of the communication that happens between the email client and the email server.
- the process starts with the transmission control protocol (tcp) to help both the email client and the server identify each other.
- the server identifies itself with 220 ready for the email client to continue communication.
- client sends “ehlo” to server to inform server that client would like to use extended smtp (the most advanced version of smtp that allows you to include images, attachments, etc.).
- the client sends “250-starttls” to the mail server to ask if starttls is accepted or not.
- if the server returns “go head”, the starttls connection can be created.
- the client restarts the connection and the email message is encrypted.
here is a visual representation of the starttls process.
which port should I use?
The port that starttls uses most often is port 587. It often requires email clients to use starttls to send mail. Other ports used to send encrypted mail are 25, 465, and 2525. Since port 25 is designed for transferring mail, not sending, your ISP may block email sent through this port. port 465 is the second most used port for starttls.
opportunistic vs. mandatory tls
There are a couple of different ways to configure your email encryption program using opportunistic tls or forced tls:
opportunistic tls (or explicit tls) allows the email client to deliver at the highest level of encryption that the recipient’s server accepts. if the recipient’s server does not accept tls, the email client will negotiate with the server and agree to switch to an unencrypted connection. the message will then be sent in clear text. this method is useful because you can use the same port for encrypted and plaintext mail.
tls required (or implicit tls) requires that mail be sent over a secure connection. if the connection is not encrypted, the sending of the mail will be blocked. this method is much more secure than opportunistic tls, but it leads to more mail being dropped.
Both approaches are widely used in the email world, so consider which one makes the most sense for your program. If you are sending an email that contains sensitive personal information, it may be better to use Forced TLS. On the other hand, if you are sending non-sensitive material such as marketing or promotions, you may be more inclined to use opportunistic TLS.
other use cases for tls
tls is frequently used to encrypt a variety of communication methods outside of email. Since tls is a relatively simple multi-step protocol, it makes it easy to adjust for a variety of communication types. this includes web browsers, sms and voice over ip. In fact, many companies use TLS to encrypt all communication between their web servers and browsers, even if most of the communication is not sensitive material.
For more information on how twilio uses tls, see the twilio security page.
why is starttls important?
smtp is not protected by default, which means that if you were to send an email via smtp without a hitch, the email could easily be intercepted and interpreted. this is of particular concern when sending sensitive personal information such as usernames, passwords, or banking information.
No worries, your personal information is at risk of being stolen.
When an email client uses starttls, it tells the server that the content must be encrypted. in this way, if the mail is intercepted, the content has been encrypted and is very difficult to decipher. the email server and the email client are the only ones that have the key to decrypt the message.
disadvantages
There are certain drawbacks to using starttls. Email clients are susceptible to man-in-the-middle attacks because, in the initial connection between the email client and the server, IP addresses are not encrypted.
using starttls might also add some latency to the smtp connection. this wouldn’t be enough of a delay to make it necessary to send unencrypted email, but it’s good to keep that in mind.
how do I test starttls?
It is important to test beforehand to make sure the server is capable of processing starttls. if it’s not capable of processing starttls, you could accidentally send a fair amount of email that isn’t encrypted and therefore susceptible to attack vectors.
here is an example of how you would test starttls from the sendgrid smtp server.
how does twilio use sendgrid starttls?
twilio sendgrid is compatible with tls v1.1 and higher. unencrypted and tls connections are accepted on ports 25, 587 and 2525. or you can connect via ssl on port 465.
we follow opportunistic tls and send with the highest level of encryption that the recipient’s server accepts. we also offer forced tls. it is your choice whether or not you want your email to be sent over an encrypted connection. if the recipient’s server doesn’t accept encrypted messages, the message is discarded and we send a block event.
It would mainly interact with starttls by starting the smtp request to twilio sendgrid, asking to send mail. otherwise, twilio sendgrid handles the matching of the tls certificates, the rest of the encryption process, and any problems that may arise along the way.
For more information on twilio sendgrid and smtp, please refer to our docs article, how to send an smtp email.