Universal Article/Blog/News module
What is StartTLS?
What is StartTLS?
The framework behind emailing can be complex for beginners. You might have thought of the medium responsible for securely delivering the message when sent from one server to another. You might have also come across terms like simple mail transfer protocol (SMTP), StartTLS, and SSL. If you are still in these, this article can be a major relief for you. Find out all about StartTLS and its related terms in the article below.
What is startTLS?
StartTLS is a command which informs the email servers when an email client wants to move their insecure connection to a secure connection of sending email from one server to another. The encryption or securing of connection is done by using SSL or TLS.
StartTLS can be used with SMTP, IMAP, while POP3 uses a slightly different command to secure the connection which is STLS. The startTLS uses the following methods to encrypt or secure the connection:
- LDAP (lightweight directory access protocol)XMPP (extensible messaging and presence protocol)
- NNTP (network news transfer protocol)
- FTP (file transfer protocol)
Providing the facility of using various domains and certificates on one server, startTLS has become one of the most famous email encryption methods among internet providers.
What is the Importance of startTLS?
Initially, the SMTP is unencrypted, which means if you send information like bank information or any other email to your recipients, they can easily be interpreted and accessed by another source. The startTLS encryption would allow you to send secure emails to your recipients without getting into any hurdles of someone accessing your emails.
On the other hand, there are few disadvantages of using startTLS, initially, the IP address is not secured between the email client and email server, which can result in increasing the risk of man-in-middle attacks.Man-in-middle attacks allow outsiders to secretly interpret or alter communication.
The startTLS can cause a delay in the SMTP connections. This is not a long delay that it can make you send unencrypted emails.
How the startTLSWorks?
TLS vs SSL
StartTLS works with both of the protocols, TLS and SSL. However, it is recommended to use TLS, because it is the latest protocol and much more secure compared to SSL. For reference below are the versions available for both TLS and SSL.
- TLS- TLSv1.1, 1.2, and 1.3.
- SSL- SSLv2 and SSLv3.
The email server and the email client have to agree on one secure connection. If the email client is asking for TLSv1.2 but the email server is asking TLSv1.3, then the TLSv1.3 would be used.
The Process of startTLS
Initially, SMTP starts with an unsecured connection. The startTLS negotiates between the client and the server. Learn the step-by-step process of startTLS execution below.
Step 1- the foremost step that is taken is by TCP (transmission control protocol), which is the shaking of hands between the email server and client for the identification of each other.
Step 2- the email server uses “220 Ready” to identify the email clients to proceed with the encryption process.
Step 3- the email client sends “EHLO” to the email server in order to inform them that they want to use the extended SMTP (advanced SMTP), this would allow the usage of images, attachments, and other elements.
Step 4- for the acceptance of startTLS, the client sends “250-STARTTLS” to the email server. The email server accepts or rejects the process of startTLS.
Step 5- when the email server accepts the connection, the encryption is created.
Step 6- afterward, the client restarts the connection and the encryption begins.
Which Port Should You Use?
Port 587 is the most commonly used port in the startTLS. It requires the email clients to use the startTLS to send messages. Other ports that are used are 25, 2525, and 465. However, port 25 is only used for the transferring of the email but does not allow submission. This can make the ISPs to block emails that are sent through the port 25. The second most commonly used port is port 465.
Explicit TLS vs Implicit TLS
To set up the email encryption, there are various ways through the explicit TLS (opportunistic TLS) and implicit TLS (enforced TLS)
Explicit TLS (opportunistic TLS)- the email client sends the email with the highest level of encryption to the server of recipients. If the recipient's servers don’t accept the TLS, the email client negotiates with the recipient's server and decides to send an unencrypted, plain text email to the recipients. The same port can be used for both encrypted and unencrypted emails.
Implicit TLS (enforced TLS)- this is the method that only allows sending emails to the server of recipients which accepts the TLS. If the connection is unencrypted, those emails are blocked when sending emails. This is more secure than the explicit TLS but it would result in more email dropping or less email deliverability.
How to Test startTLS?
You can test the startTLS by various commands using ESPs (email service providers) like CBT Mass Email Sender. It is vital to test the startTLS encryption because it would help to avoid sending unencrypted emails to the recipients.
If you are sending the unencrypted email to your recipients, you are increasing the risk of getting personal information's like passwords or IDs to access by other sources. This would decrease the trust of your recipients in your email services. However, you should opt for the startTLS encryption to keep your connection secure. This would also help in increasing your sender’s reputation as ISPs like Google and Yahoo would consider you a relevant and safe email sender.
If you are using ESPs, they probably have the services of providing startTLS. It is highly recommended that you should opt for it to avoid any hindrance in your email communication.