Why every email sender should care about TLS and STARTTLS 

When you click send on an email campaign, you probably imagine it shooting straight into your customer’s inbox. In reality, email takes a more complicated path. Your message hops from one server to another, crossing networks you don’t control, until it finally reaches its destination. 

And here’s the catch – if those connections aren’t encrypted, your message is essentially a postcard. Anyone handling it along the way – internet providers, compromised routers, even malicious actors – could read or modify the contents. 

Now think about what kinds of messages you’re sending: 

• Order confirmations with customer details 

• Password reset links 

• Marketing emails tied to customer identities 

Would you be comfortable sending that on a postcard? Probably not… 

This is where TLS comes in. 

Transport Layer Security (TLS) is a protocol that encrypts the connection between email servers. Think of it like sealing a letter in an envelope before it’s sent through the postal service. TLS ensures that your emails travel in that sealed envelope – hidden from prying eyes, protected from tampering, and delivered with the trust your brand depends on. 

When both the sending and receiving servers support TLS, messages are transmitted securely. This protects sensitive information, maintains customer trust, and helps ensure compliance with privacy standards. 

Email isn’t just a marketing channel anymore, with businesses sending invoices, verifying identities, resetting passwords, and communicating sensitive details. Every one of those messages deserves protection in transit. TLS helps in five key ways: 

Without TLS, your email can be intercepted, read, or even altered by anyone who has access to the network between servers. This could be an ISP, a compromised router, or a bad actor performing a “man-in-the-middle” attack. 

With TLS, the connection is encrypted. Even if someone does intercept the traffic, all they see is scrambled data they can’t read. 

Customers are becoming more aware of digital security. If they discover your brand sends emails without encryption, it reflects poorly – even if nothing malicious happens. 

Some email clients and providers even display security indicators (like a padlock icon) when TLS is used. These subtle cues reinforce that your brand is professional and trustworthy. 

Regulatory frameworks like GDPR, HIPAA, and industry standards such as PCI DSS expect that businesses take reasonable steps to protect personal data in transit. TLS is considered the baseline. 

Failing to use TLS doesn’t just put your recipients at risk – it could also put you out of compliance, leading to fines, audits, or contractual issues with partners. 

Mailbox providers (like Gmail, Yahoo, Outlook) care about the security of their ecosystems. If you send without TLS, some providers may deprioritize your messages, flag them as less secure, or in some extremely rare cases, reject them. 

Meanwhile, consistent TLS usage signals to providers that you’re a legitimate sender who values secure practices. That can help your sender reputation and improve inbox placement. 

Without enforced TLS, attackers can sometimes trick servers into downgrading to plaintext delivery. This leaves your message exposed, even if both parties support TLS. 

By configuring STARTTLS with enforcement, you block this risk. Your email is either delivered securely or not delivered at all there’s no insecure middle ground. 

By default, many email servers try to use TLS if both sides support it, but if TLS isn’t available, they’ll fall back to unencrypted delivery. That means your emails could still be traveling like postcards. 

STARTTLS is an email protocol command that tells an email server to switch from an unencrypted connection to an encrypted one using TLS. And importantly, you can configure your system to enforce STARTTLS – requiring that all emails to a given domain are encrypted, or else not delivered. 

As mentioned, this prevents downgrade attacks, where a bad actor forces the connection to drop back to insecure delivery. 

The good news for senders is that most modern ESPs and security standards now require TLS 1.2 or higher (including Mailjet) and don’t require any action on your behalf. This means you’re already operating on a secure baseline. However, some platforms still accept TLS 1.0 and 1.1, which are considered outdated and less secure. If you manage your own infrastructure, make sure your servers support TLS 1.2 or higher.  

TLS is no longer optional. It’s the standard for protecting your recipients, your brand, and your deliverability. By enabling and enforcing STARTTLS, you ensure that your emails aren’t just delivered, but delivered securely. 

Author: Dale Hart Content Manager at Sinch Mailjet