What is TLS?
TLS (Transport Layer Security) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures three essential aspects of data transmission:
-
Encryption – The content of the communication is unreadable to third parties.
-
Authentication – The identity of the parties involved in the communication can be verified.
-
Integrity – The data has not been altered during transmission.
TLS is widely used in web browsing (HTTPS), but it's also crucial in securing email transmissions.
Why is TLS Important in Email Services?
Emails often contain sensitive information, including personal data, financial information, and confidential business details. Without encryption, emails travel in plain text, making them vulnerable to:
-
Eavesdropping – Intercepted and read by malicious actors.
-
Man-in-the-middle (MITM) attacks – Altered or redirected in transit.
TLS is used to encrypt the communication channels between:
-
Email clients and servers (e.g., via SMTP, IMAP, POP3).
-
Email servers communicating with each other (SMTP relay).
By using TLS, you protect email content from being exposed or tampered with during transmission.
RFC 3207 and Its Limitations
RFC 3207 defines the STARTTLS extension for SMTP, allowing email servers to upgrade a connection to TLS. However, it only recommends the use of TLS — it does not mandate it. This means that email servers may fall back to unencrypted communication if TLS is not supported by the peer.
GDPR and the De Facto Obligation to Use TLS
While RFC 3207 stops short of requiring TLS, the GDPR (General Data Protection Regulation) enforces stricter data protection principles. Specifically:
-
Article 5: Personal data must be processed with integrity and confidentiality.
-
Article 32: Data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Failing to encrypt email transmissions (e.g., by not using TLS) can lead to GDPR non-compliance, especially when handling personal data. This effectively makes the use of TLS mandatory, even if technical standards like RFC 3207 leave it optional.
Strict TLS vs. Opportunistic TLS
Email servers may be configured with STRICT TLS or OPPORTUNISTIC TLS.
| Feature | Strict TLS | Opportunistic TLS |
|---|---|---|
| Encryption Required? | Yes (connection fails if TLS is unavailable) |
No (Encryption is used only if supported by the peer) |
| Fallback to Plaintext? | Never |
Yes, if the other server doesn’t support TLS |
| Security Level | High |
Medium |
| GDPR Compliance | Yes |
Risky, depending on the context |
-
Strict TLS ensures encryption is always used, reducing the risk of data exposure.
-
Opportunistic TLS tries to encrypt, but falls back to unencrypted transmission, which can compromise sensitive data.
Security Risks of Not Using TLS or Only Opportunistic TLS
-
Eavesdropping: Without TLS, attackers can read email contents as they move between servers.
-
MITM Attacks: Without authentication (provided by TLS certificates), attackers can impersonate servers and alter messages.
-
Data Breach Risk: Any exposure of personal data due to unencrypted email transmissions can result in a data breach under GDPR.
-
Legal and Financial Penalties: Non-compliance with GDPR can lead to hefty fines and reputational damage.
Even Opportunistic TLS may not be sufficient if it silently downgrades to plaintext, making it unsuitable for transmitting personal or sensitive data without additional protections.
While the technical specification (RFC 3207) does not strictly enforce TLS, the legal landscape under GDPR makes it essential for email services that handle personal data to:
-
Use TLS consistently, and
-
Prefer strict TLS policies to ensure compliance and data protection.
Securing email with TLS isn't just best practice—it's a legal and ethical obligation in modern digital communication.
TLS Configuration on DomainRegister Email Servers
At DomainRegister, we adopt different TLS configurations based on the type of email service provided:
-
The email service handling user communication ( @domainregister.it ) is configured with Strict TLS. This ensures maximum security and confidentiality, especially given the sensitivity of the data involved — such as account access credentials and password recovery messages. No email is transmitted without encryption.
-
The email service offered to clients via our hosting platform (unihost.it) currently uses Opportunistic TLS. This configuration allows broad compatibility with various mail servers while still providing encryption whenever possible. However, we are actively evaluating the implementation of Strict TLS on this platform too, particularly because the number of obsolete mail servers in the European market that do not support TLS has become negligible.
If any user requires email services with Strict TLS enforcement, we kindly invite them to open a support ticket, and we will be happy to assist with a secure configuration tailored to their needs.
