What is TLS?

TLS (Transport Layer Security) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures three essential aspects of data transmission:

  • Encryption – The content of the communication is unreadable to third parties.

  • Authentication – The identity of the parties involved in the communication can be verified.

  • Integrity – The data has not been altered during transmission.

TLS is widely used in web browsing (HTTPS), but it's also crucial in securing email transmissions.

Why is TLS Important in Email Services?

Emails often contain sensitive information, including personal data, financial information, and confidential business details. Without encryption, emails travel in plain text, making them vulnerable to:

  • Eavesdropping – Intercepted and read by malicious actors.

  • Man-in-the-middle (MITM) attacks – Altered or redirected in transit.

TLS is used to encrypt the communication channels between:

  • Email clients and servers (e.g., via SMTP, IMAP, POP3).

  • Email servers communicating with each other (SMTP relay).

By using TLS, you protect email content from being exposed or tampered with during transmission.

RFC 3207 and Its Limitations

RFC 3207 defines the STARTTLS extension for SMTP, allowing email servers to upgrade a connection to TLS. However, it only recommends the use of TLS — it does not mandate it. This means that email servers may fall back to unencrypted communication if TLS is not supported by the peer.

GDPR and the De Facto Obligation to Use TLS

While RFC 3207 stops short of requiring TLS, the GDPR (General Data Protection Regulation) enforces stricter data protection principles. Specifically:

  • Article 5: Personal data must be processed with integrity and confidentiality.

  • Article 32: Data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Failing to encrypt email transmissions (e.g., by not using TLS) can lead to GDPR non-compliance, especially when handling personal data. This effectively makes the use of TLS mandatory, even if technical standards like RFC 3207 leave it optional.

Strict TLS vs. Opportunistic TLS

Email servers may be configured with STRICT TLS or OPPORTUNISTIC TLS.

Feature Strict TLS Opportunistic TLS
Encryption Required?
Yes
(connection fails if TLS is unavailable)

 No
(Encryption is used only if supported by the peer)
Fallback to Plaintext?
Never

 Yes, if the other server doesn’t support TLS
Security Level
High

 Medium
GDPR Compliance
Yes

 Risky, depending on the context

  • Strict TLS ensures encryption is always used, reducing the risk of data exposure.

  • Opportunistic TLS tries to encrypt, but falls back to unencrypted transmission, which can compromise sensitive data.

Security Risks of Not Using TLS or Only Opportunistic TLS

  1. Eavesdropping: Without TLS, attackers can read email contents as they move between servers.

  2. MITM Attacks: Without authentication (provided by TLS certificates), attackers can impersonate servers and alter messages.

  3. Data Breach Risk: Any exposure of personal data due to unencrypted email transmissions can result in a data breach under GDPR.

  4. Legal and Financial Penalties: Non-compliance with GDPR can lead to hefty fines and reputational damage.

Even Opportunistic TLS may not be sufficient if it silently downgrades to plaintext, making it unsuitable for transmitting personal or sensitive data without additional protections.

While the technical specification (RFC 3207) does not strictly enforce TLS, the legal landscape under GDPR makes it essential for email services that handle personal data to:

  • Use TLS consistently, and

  • Prefer strict TLS policies to ensure compliance and data protection.

Securing email with TLS isn't just best practice—it's a legal and ethical obligation in modern digital communication.

TLS Configuration on DomainRegister Email Servers

At DomainRegister, we adopt different TLS configurations based on the type of email service provided:

  • The email service handling user communication ( @domainregister.it ) is configured with Strict TLS. This ensures maximum security and confidentiality, especially given the sensitivity of the data involved — such as account access credentials and password recovery messages. No email is transmitted without encryption.

  • The email service offered to clients via our hosting platform (unihost.it) currently uses Opportunistic TLS. This configuration allows broad compatibility with various mail servers while still providing encryption whenever possible. However, we are actively evaluating the implementation of Strict TLS on this platform too, particularly because the number of obsolete mail servers in the European market that do not support TLS has become negligible.

If any user requires email services with Strict TLS enforcement, we kindly invite them to open a support ticket, and we will be happy to assist with a secure configuration tailored to their needs.

Found this article interesting?
Subscribe to DomainRegister´s newsletter!

You can unsubscribe at any time by simply clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp s privacy practices here.

  • email, TLS, security
  • 37 Utenti hanno trovato utile questa risposta
Hai trovato utile questa risposta?

Articoli Correlati

 Why Am I Getting Delivery Reports Messages for Emails I Did Not Send?

Are you receiving a large number of "Delivery Error Report", about email messages that you did...

 Setting Up SPF Record

SPF (Sender Policy Framework) is a kind of DNS record, in order to fight spam and increase the...

 Gestione blacklisting server email shared

Lo spam è una croce del servizio email, ed a farne le spese talvolta sono anche gli utenti più...

 Guida introduttiva all'uso del servizio FractoMail

Introduzione a FractoMail FractoMail è un servizio email shared, destinato a Reseller. Tramite...

 Perché sulla mia casella email non ricevo i messaggi di Posta Elettronica Certificata (PEC)?

La Posta Elettronica Certificata (PEC) è un tipo speciale di e-mail che consente di...