What is TLS email encryption?

Egress | 18th Oct 2021

Transport layer security (TLS) is a form of encryption that protects your email while it's in transit. TLS is an excellent choice as it's widely used, and many governing bodies recommend it.  However, it's not without its drawbacks and doesn't always provide enough protection for a business handling sensitive data.

When you send an email using TLS, your email service will ask the receiving email provider to start the secure connection. If it can do so, the sending service will share the necessary list of protocols and ciphers needed to encrypt the message content. Then, the email sends securely to the recipient using a public key to encrypt and a private key to decrypt.

However, there's one thing to bear in mind. If your email service detects that the receiving service can't accept a TLS connection, it'll default to a less secure service or non-encrypted connection. Meaning the message could send in unsecured plaintext.

Benefits of TLS

After establishing a secure connection, there are several benefits to TLS. These include:

Protecting data: Email servers can be configured to enforce TLS wherever possible. That means that it's not up to your employees to remember to use this protocol — leading to increased security of all data sent via email. 

Availability: TLS is widely used and is likely to be accepted by receiving mail servers. 

Virus scanning: Messages sent via TLS can still be scanned for malicious content by the receiver, just like regular emails.

Quick deployment: TLS is configured directly on the mail server. That means the setup process is simple and does not require configuration across individual workstations. 

Drawbacks of TLS

The UK government recommends using TLS for public sector organisations, and for good reason, but it's worth understanding its drawbacks so you can ensure your emails are protected at all times. Be sure to consider the following:

Securing emails only in transit: TLS does an excellent job of encrypting emails after they're sent and before they've been read. It doesn't, however, protect them while at rest in a user's inbox or outbox.

Uses high latency: Wherever TLS is used, additional latency will be added to your site's traffic. That's because it must work harder to establish the connection. That means it could take longer than other secure services.

Admin tasks: While TLS is easy to use and quick to set up, a few admin jobs need to be addressed. Being your own CISO often means managing a TLS service landing on your to-do list. Ensuring your TLS certification is up to date, monitoring use by staffers or freelancers, and addressing systems holes and vulnerabilities could all be your responsibility. 

No auditing capability: TLS will not provide accessible auditing or proof of transmission. There's no notification or audit trail if an email is delivered to a non-verified person or sent in plaintext. That creates challenges regarding diagnosing and fixing security failures.

TLS fails open: If TLS can't create a secure connection, it defaults to regular SMTP. That means an email will be sent in plaintext. That's because many email users would prefer an email to send no matter the connection. For many personal emails, this is fine, but businesses need to be more careful.

Preventing Email Data Loss Gated Widget Cropped

Preventing email data loss in Microsoft 365

Get your copy

Supporting TLS with additional tools

TLS is a government-recommended email protocol that protects your emails in transit and is very quick to deploy. However, its open-fail nature means it's not always 100% effective when it can't establish a secure connection. That means businesses need the support of additional tools to ensure other types of encryption are being used when TLS isn't available. That's vital for ensuring compliance with data protection laws and protecting your business from malicious actors seeking to intercept an unencrypted email.

TLS works well in the majority of situations but, for maximum security, it can be supported with additional tools. Because attackers can exploit TLS's fail-open design, your business is at risk of sensitive information being intercepted while in transit. Other encryption and security tools can help ensure that all emails are secure, even when a TLS connection isn't possible.

Egress Prevent is data loss protection software that will alert users to the availability of TLS. In many cases, it will use TLS to establish a secure connection. Still, when the recipient doesn't have TLS enabled, it'll suggest message-level encryption to protect the content. On top of this, it has built-in auditing tools to ensure compliance, help spot risk, and target user training.

FAQ

How does TLS email encryption work?

By default, email is a plaintext communication. That leaves the message open for anyone to intercept. TLS helps to solve this by encrypting the message while it's in transit. It establishes a secure connection with the receiving server and shares the necessary certificates and keys to ensure the email can't be intercepted.

Is TLS encryption enough for email?

TLS will ensure that messages sent between email servers are safe from attackers, but it has its limitations. While TLS is widely used, there are cases where your email server won't establish this connection with the receiver. In this case, there needs to be an added layer of security to prevent the email from sending in plaintext. 

On top of this, TLS only protects the email in transit. Sensitive data should also be secured while at rest to ensure compliance and protect against hackers' actions.

How do I know if my email is TLS encrypted?

One way to check an email is TLS encrypted is by checking the entire message received header for details of its journey to you. As it passes from server to server, each part of the journey is documented – look for each server's marker to be stamped with 'TLS.' If one part of the chain doesn't use TLS, it's immediately downgraded. Many email clients will also tell you if the email you are sending is encrypted by showing a padlock or similar.

Cybersecurity Hype Reality Transp

How to separate cybersecurity hype from reality

Get your copy