Ever marvel how email is securely despatched from one server to a different? When utilizing Simple Mail Transfer Protocol (SMTP) to ship mail, we depend on a mix of StartTLS and Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt our mail and assist it safely land within the inbox.
But what is StartTLS?
StartTLS is a protocol command used to tell the email server that the email consumer desires to improve from an insecure connection to a safe one utilizing TLS or SSL. StartTLS is used with SMTP and IMAP, whereas POP3 makes use of the marginally totally different command for encryption, STLS.
We’ll dig into the variations between TLS and SSL, the StartTLS course of, and how you can check StartTLS to your program.
How does StartTLS work?
TLS vs. SSL
Even although “TLS” is in its identify, StartTLS works with each encryption protocols, TLS and SSL.
While StartTLS works with each protocols, we advocate utilizing TLS over SSL. SSL is an older protocol and is not as safe as its successor, TLS. SSLv2 and SSLv3 have each been deprecated.
For reference, right here’s an inventory of SSL and TLS protocols from oldest to latest:
SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
Both the email consumer and email server must agree on what connection to make use of. The email consumer could assist TLSv1.3, however the email server could solely assist as much as TLSv1.2. This signifies that each events might want to use TLSv1.2 to proceed with the encryption.
For much more info on TLS vs. SSL, try our docs web page.
The StartTLS course of
SMTP all the time begins unencrypted. The StartTLS command begins the negotiation between server and consumer. Here’s a top level view of the communication that occurs between the email consumer and email server.
- The course of begins with the Transmission Control Protocol (TCP) handshake to assist each the email consumer and server establish one another.
- The server identifies with 220 Ready that the email consumer can proceed with the communication.
- The consumer sends the server “EHLO” to tell the server that the consumer wish to use Extended SMTP (the extra superior model of SMTP that permits you to embody photographs, attachments, and so forth.).
- The consumer sends “250-STARTTLS” to the mail server to ask whether or not or not StartTLS is accepted.
- If the server sends again “go head,” the StartTLS connection will be created.
- The consumer restarts the connection and the email message has been encrypted.
Here’s a visible illustration of the StartTLS course of.
Which port do you have to use?
The port that makes use of StartTLS most frequently is port 587. It typically requires email purchasers to make use of StartTLS to ship mail. Other ports used to ship encrypted mail are 25, 465, and 2525. Since port 25 was designed for mail switch, not submission, your ISP could block email despatched via this port. Port 465 is the second mostly used port for StartTLS.
Opportunistic vs. Enforced TLS
There are a few alternative ways to arrange your email encryption program through the use of both Opportunistic TLS or Enforced TLS:
Opportunistic TLS (or Explicit TLS) permits the email consumer to ship on the best encryption stage the recipient server accepts. If the recipient server doesn’t settle for TLS, the email consumer will negotiate with the server and conform to downgrade to an unencrypted connection. The message will then be despatched in an unencrypted, plain textual content type. This methodology is helpful as a result of you need to use the identical port for each encrypted and plain textual content mail.
Enforced TLS (or Implicit TLS) requires the mail to be despatched over a safe connection. If the connection is not encrypted, the mail shall be blocked from sending. This methodology is rather more safe than Opportunistic TLS, however does result in extra mail being dropped.
Both approaches are broadly used within the email world, so contemplate what makes essentially the most sense to your program. If you’re sending email that accommodates delicate, private info, it might be greatest to make use of Enforced TLS. On the opposite hand, should you’re sending non-delicate materials, like advertising or promotions, it’s possible you’ll be extra inclined to make use of Opportunistic TLS.
Other TLS use instances
TLS is steadily used for encrypting a wide range of communication strategies outdoors of email. Since TLS is a comparatively easy, multi-step protocol, it makes it straightforward to regulate for a wide range of communication sorts. This contains internet browsers, SMS, and Voice over IP. In reality, a variety of firms use TLS to encrypt all communication between their internet servers and browsers, even when nearly all of the communication isn’t delicate materials.
For extra info on how Twilio makes use of TLS, try Twilio’s Security page.
Why is StartTLS necessary?
SMTP is not secured by default, which signifies that should you have been to ship email over SMTP with out StartTLS the email could possibly be intercepted and simply interpreted. This is particularly worrisome when sending delicate, private info like usernames, passwords, or financial institution info.
Without StartTLS, your private info is susceptible to being stolen.
When an email consumer makes use of StartTLS, it informs the server that the content material should be encrypted. This means, if the mail is intercepted, the content material has been scrambled and is very difficult to decipher. The email server and email consumer are the one ones that maintain the important thing to decode the message.
There are sure drawbacks to utilizing StartTLS. Email purchasers are inclined to man-in-the-center assaults as a result of, within the preliminary connection between email consumer and server, the IP addresses usually are not encrypted.
Using StartTLS may additionally add some latency to the SMTP connection. This wouldn’t be sufficient of a delay to make it essential to ship unencrypted email, but it surely is good to bear in mind.
How do I check StartTLS?
It’s necessary to check upfront to verify the server is able to processing StartTLS. If it isn’t able to processing StartTLS you can by chance ship a good quantity of email that isn’t encrypted and is, subsequently, inclined to assault vectors.
Here is an instance of how you’d check StartTLS from SendGrid’s SMTP server.
How does Twilio SendGrid use StartTLS?
Twilio SendGrid helps TLS v1.1 and better. Unencrypted and TLS connections are accepted on ports 25, 587, and 2525. Or, you’ll be able to join via SSL on port 465.
We comply with Opportunistic TLS and ship on the best encryption stage the recipient server accepts. We additionally provide Enforced TLS. It is your alternative whether or not or not you require your email to be despatched over an encrypted connection. If the recipient server doesn’t settle for encrypted messages, the message is dropped and we ship a block occasion.
You would primarily work together with StartTLS when initiating the SMTP request to Twilio SendGrid, asking to ship mail. Otherwise, Twilio SendGrid handles the matching of the TLS certificates, the remainder of the encryption course of, and any points that will come up alongside the best way.
For extra info on Twilio SendGrid and SMTP, head over to our docs article, How to Send an SMTP Email. And while you’re prepared to start out sending emails, join a free Twilio SendGrid account and get began.