© Crown copyright 2016
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: email@example.com.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/email-security-standards/transport-layer-security-tls
What is TLS?
Transport Layer Security (TLS) is an encryption protocol used to protect data in transit between computers. When two computers send data they agree to encrypt the information in a way they both understand. Depending on the rules in place, one or other of them may refuse to connect if they can’t find a suitable encryption method.
In an email exchange the sending server contacts the receiving server over a standard SMTP connection and asks if it will accept a more secure TLS connection (STARTTLS). As it does this, it shares a list of protocols and ciphers it understands. The receiving server looks at the list and chooses an option they both understand. It then sends back its security certificate and public encryption key.
The sending server checks the security certificate is valid, then uses the public key to encrypt and send an email. Only the receiving server has the private key that can decrypt the email, so the message is sent securely.
If either server can’t support an encrypted connection then they will default to a less secure Secure Sockets Layer (SSL) connection, or a non-encrypted connection. When exchanging emails between government organisations both parties should insist on a TLS connection, and reject other types of connection.
This diagram shows how TLS works:
Sending email with TLS
Any modern email service is capable of using TLS. In most cases you will have an option of using opportunistic TLS on all connections. This means the servers will try to create an encrypted connection, but if they can’t they’ll send unencrypted. This is good, but not enough for regular use.
For regular use you should create a rule that will make sure a TLS connection is made when connecting to certain domains. If the sending and receiving servers can’t agree on an encryption method the connection is dropped and no data is sent.
Receiving email with TLS
Opportunistic TLS should be enabled. You can also require TLS when you know the sender supports it. This way any connections not using it will have email automatically rejected.
You can check an email was sent using TLS by looking at the message headers for a TLS version and cipher, but these can be hard to understand for non-technical users.
Find detailed information on the TLS specification at the The Internet Engineering Task Force. For more on how encryption works there is a simple explanation and a more complex video explanation by Khan Academy available.
NOTE: All Khan Academy content is available for free at www.khanacademy.org.