TLS email encryption: What you need to know

Email security

See the padlock in the top left of your search bar? As you likely already know, that means this page is encrypted – and a broken or unlatched padlock means the connection in unencrypted. Tech-savvy people will turn back if they see a broken padlock, as they know the webserver is visible to cybercriminals in plain text.

Encryption isn’t just important for websites. You can also implement email encryption for better security, and free email services like Gmail or Outlook.com usually have default configurations for this. However, email services can vary, so it's worth learning more about this critical mechanism underpinning most cybersecurity controls in use today.

TLS briefly defined

In 2017, Google made it mandatory for website owners to install and use secure socket layers (SSL) on their websites, with non-compliance penalties taking the form of a security warning alerting visitors of the insecure connection (for example, the broken or unlatched padlock). This action is more of a Google public service announcement than a punitive measure against the website owner. 

Fast forward to the present, and most people know enough to proceed with caution. Today, the SSL acronym that had become almost synonymous with web security has been replaced by its successor, the transport layer security (TLS) protocol. 

Understanding TLS email encryption

The longstanding design flaw of email is that security and privacy weren't necessarily "baked-in" to the technology, aside from username and password authentication. A browser prominently displaying a broken red padlock is one thing; email users rarely receive such cues. 

That means an email sender's message was open to anyone's viewing while in transit — whether at the coffee shop hotspot where the email originated, on the internet service provider's (ISP) servers, or somewhere on the internet backbone transiting the world to its final destination.

That's where SSL and its successor TLS come in. Today, the latter is the standard for secure email, and all modern email providers and services support it. At the time of writing, the latest version of TLS is 1.3, though most email vendors support TLS 1.2. It's also worth noting that TLS emails are encrypted by default, but only if all parties use the new encryption protocol.

About the information encrypted by TLS

TLS works by encrypting internet traffic and protecting data as it moves between computers or devices—hence the "transport" in its name. The mechanism functions the same for email as it does for websites (like HTTPS), but all parties involved in the transaction must support the protocol for encryption to work.

For example, TLS mitigates the risk of eavesdropping on an email as it passes between email servers, but only if they all have TLS enabled. If one server cannot support TLS, the encryption defaults to SSL, or email is sent unencrypted. 

TLS is used for encrypting most of the internet—email, websites, VPN, and more. However, because the encryption protocol can significantly slow data transfer speeds, it isn't implemented in some situations e.g. video chat or gaming.  That said, voice call encryption using TLS is increasingly common as more people are using the internet to make voice calls, like VoIP.

How to tell if an email is TLS encrypted

Unlike with a browser, the absence of TLS in email isn't as noticeable as a red, broken padlock in the address window. Users need to analyze their email headers and look for the TLS version used to encrypt the email. 

That involves effort and some technical prowess. However, the information is readily accessible, as every sent email includes an audit trail of its trip. That audit trail could show where and (or) how it was transmitted, whether it was encrypted, and what encryption protocol and version were used.

Public email providers like Gmail tend to hide these details for the sake of usability. However, users can typically access them by selecting an option on the email message menu. For example, to view Gmail's email message headers, click on the button for the contextual menu (the ellipses or three vertical dots) and select "Show original."

Email using TLS

As mentioned previously, most if not all major email providers like Gmail and Outlook.com support TLS encryption. When in doubt, implementing Egress Prevent tells a user when TLS isn't correctly enabled and helps them encrypt email to ensure it is secure by:

  • Making sure emails containing sensitive data are sent to the correct recipient
  • Using message body analysis, scanning data inside attachments, and learning a user's data-sharing patterns
  • Supporting smart device workflows from any location
  • Creating ethical walls to restrict internal access
  • Minimizing human-activated email threats

For now, TLS is the dominant encryption protocol for protecting email contents against prying eyes. However, you can expect newer technologies—or at minimum, newer versions—to replace it at some point. 

Cybercriminals are constantly improving their tactics and discovering software vulnerabilities, so security tools and protocols are in a perpetual state of improvement (and catching up). While email remains the dominant communication method in business, malicious actors will always have lucrative targets to set their sights on.

Found this article helpful? Check out our dedicated email encryption hub for more.