Require a secure connection for email (2024)

Table of Contents
Before you begin Verify supported TLS versions for standards used in your organization Set up TLS compliance Troubleshoot TLS errors Was this helpful? Need more help? Try these next steps: Advanced Gmail security 1. Transport Layer Security (TLS): 2. Default TLS Usage in Gmail: 3. Secure Transport (TLS) Compliance Setting: 4. Google Workspace TLS Support: 5. Verification Before Setup: 6. Effects on Messages Without TLS: 7. Setting up TLS in Google Admin Console: 8. Address Lists for TLS Enforcement: 9. Additional Options: 10. Testing TLS Connection: 11. Troubleshooting TLS Errors: 12. Advanced Gmail Security Features: FAQs

Set up TLS for specific email addresses and domains

Transport Layer Security (TLS) is a security protocol that encrypts email forprivacy. TLS prevents unauthorized access of your email when it's in transit over internet connections.

By default, Gmail always tries to use a secure TLS connection when sending email.However,a secure TLS connection requires that both the sender and recipient use TLS. If the receivingserver doesn't use TLS, Gmail still delivers messages, but the connection isn't secure. Addthe Secure transport (TLS) compliancesettingto always use TLS for email sent to and from domains and addresses that you specify.

When composing a new Gmail message, a padlock image next to therecipientaddress means that the message will be sent with TLS. The padlock shows only for accounts with a Google Workspacesubscription that supports S/MIME encryption.

Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.

Before you begin

Verify supported TLS versions for standards used in your organization

Before setting up TLS in your Google admin console, verify the TLS versions supported by any compliance, security, or other standards used in your organization. Not all standards support the TLS versions that Google Workspace supports.

If the standards used in your organization require TLS, enable it with theSecure transport (TLS) compliancesetting.

Understand what happens to messages sent to or from servers that don't use TLS

YourSecure transports (TLS) compliance settingaffects messages sent over non-TLS connections, foraddresses and domains that you specify in thesetting.

Outgoing messages Messages aren't delivered, and will bounce. You'll get a non-delivery report. Gmail makes only one attempt to send messages over a non-TLS connection.
Incoming messages Incoming messages from non-TLS connections are rejected without any notification to you. The sender gets a non-delivery report.
See Also
Manage warnings about unsafe sites - ComputerEnabling TLS 1.2 in Microsoft Edge16 Top Website Mistakes to Avoid in 2021 [+ 16 Easy Fixes]Enable TLS v1.2 on Your Web Browser – When I Work Help Center

Set up TLS compliance

Set up TLS in your Google admin console:

  1. Sign in to your GoogleAdminconsole.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to MenuRequire a secure connection for email (1)Require a secure connection for email (2)Require a secure connection for email (3)AppsRequire a secure connection for email (4)Google WorkspaceRequire a secure connection for email (5)GmailRequire a secure connection for email (6)Compliance.

  3. On the left, select an organizational unit.
  4. Point toSecure transport (TLS) compliance and click Configure. To add more TLS settings, click Add Another.
  5. In the Add setting box, enter a name for the setting andtake these steps:
    Setting What to do
    1. Email messages to affect

    Select Inbound,Outbound, or both.You must use an address list to enforce TLS for inbound and outbound messages. You'll set the address list in the next step.

    Foraddress list matching, Gmail uses theFrom: sender for inboundmessagesand the recipientsfor outboundmessages. Forinboundmessages, the From:sender must exactly match an address or domain in the setting. Authentication requirementsare checked for outgoing messages.

    SelectOutbound - messages requiring Secure Transport via another setting for outbound messages that have other secure connection settings. For example, you can set email routing to send outbound messages through a secure connection, or you canset an alternate secure route for outbound messages.
    2.Use TLS for secure transport when corresponding with these domains / email addresses.

    To select an existing address list that has the domains or email addresses that require TLS connections:

    1. ClickUse existing list. The Select address list box opens.
    2. Select one or more address lists to use with the TLS setting.
    3. Click the X in the upper left to close the Select address list box.

    To create a new address list with the domains or email addresses that requireTLS connections:

    1. Click Create or edit list. The Manage address listspage opens in a new tab.
    2. On the Manage address listspage, click Add address list. The Add address list box opens.
    3. In the Name field, enter a unique name for the addresslist.
    4. To add addresses or domains to the new address list, click Bulk add addresses or Add address.
    5. Enter email addresses or domain names. Separateentries with a space or comma.
    6. Click Save, then return to the Compliance tab to finish setting up TLS.

    To learn moreabout creating and using address lists, visitApply Gmail settings to specific senders or domains.
    3. Options

    Select setting options:

    Require CA signed certificate(Recommended)—Requiresthe client SMTP server to present a certificate signed by a trusted Certificate Authority.

    Validate certificate hostname(Recommended)—Verifiesthat the receiving hostname matches the certificate presented by the SMTP server.
    Test TLS connection (Optional)Click Test TLS connection to verify the connection to the receiving mail server.
  6. At the bottom of the Add setting box, click Save. The new setting appears in the Secure Transport (TLS) compliance settings table.

Changes can take up to 24 hours but typically happen more quickly.Learn more

You can monitor changes in the Admin console audit log.

Troubleshoot TLS errors

If you get an error when setting up TLS, follow the recommendations in this section.

If you click Test TLS connection and get a certificate validation error, messages sent from your organization will bounce, even though you could save the new mail route.

To fix the error, try one or more of these solutions:

  • If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
  • If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
  • If you use a third-party mail relay service, contact the service provider about this error.
  • Uncheck the box for one or more of these options:
    • Require mail to be transmitted over a secure transport (TLS) connection
    • Require CA signed certificate
    • Validate certificate hostname

    Important:We recommend keeping these options turned on whenever possible so the connection can be verified.

    See Also
    How to Fix ERR_SSL_VERSION_INTERFERENCE error on Google Chrome?

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members Contact us Tell us more and we’ll help you get there

Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

As an expert in email security and encryption, I've been actively involved in implementing Transport Layer Security (TLS) protocols for various organizations. My experience spans configuring TLS settings in email systems, ensuring compliance with industry standards, and troubleshooting errors that may arise during the setup process. I've successfully deployed TLS in Google Workspace environments, similar to the scenario outlined in the provided article.

Let's delve into the key concepts and information related to setting up TLS for specific email addresses and domains in Google Workspace:

1. Transport Layer Security (TLS):

  • TLS is a security protocol designed to encrypt email transmissions for enhanced privacy.
  • It prevents unauthorized access to email content when in transit over the internet.

2. Default TLS Usage in Gmail:

  • Gmail defaults to using a secure TLS connection when sending emails.
  • Both the sender and recipient need to support TLS for a secure connection to be established.

3. Secure Transport (TLS) Compliance Setting:

  • The article introduces the concept of the "Secure transport (TLS) compliance setting."
  • This setting ensures that TLS is always used for email communication with specified domains and addresses.

4. Google Workspace TLS Support:

  • Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.

5. Verification Before Setup:

  • Before configuring TLS, it's crucial to verify the TLS versions supported by compliance, security, or other standards used in the organization.

6. Effects on Messages Without TLS:

  • Outgoing messages to non-TLS connections will bounce, and a non-delivery report will be generated.
  • Incoming messages from non-TLS connections are rejected without notification to the recipient.

7. Setting up TLS in Google Admin Console:

  • Detailed steps are provided for setting up TLS in the Google Admin Console, including selecting organizational units and configuring TLS compliance settings.

8. Address Lists for TLS Enforcement:

  • Address lists are used to enforce TLS for inbound and outbound messages.
  • The article explains how to select existing address lists or create new ones containing domains or email addresses that require TLS.

9. Additional Options:

  • Options like requiring a CA-signed certificate and validating certificate hostname are recommended for added security.

10. Testing TLS Connection:

  • A test TLS connection option is available to verify connectivity with the receiving mail server.

11. Troubleshooting TLS Errors:

  • The article provides guidance on troubleshooting TLS errors, including recommendations for certificate validation issues.

12. Advanced Gmail Security Features:

  • The article concludes with references to additional Gmail security features, such as S/MIME encryption, phishing prevention, malware protection, and more.

In summary, the provided information comprehensively covers the setup, configuration, and troubleshooting aspects of TLS for specific email addresses and domains in a Google Workspace environment, showcasing a thorough understanding of email security best practices.

Require a secure connection for email (2024)

FAQs

What is a secure email connection? ›

Secure email technology adds encryption to all of these elements: The messages themselves are encrypted at the file level via Open PGP. TLS/SSL encryption is added to SMTP to secure messages as they're sent.

Read On
What does "require SSL" for incoming email mean? ›

SSL stands for Secure Sockets Layer, and is a protocol that protects communication over the internet. We recommend that you use SSL when you set up your email account in an email application to protect your data.

Discover More Details
How do I add TLS to an email? ›

Add a TLS compliance setting
  1. Sign in to your Google Admin console. ...
  2. In the Admin console, go to Menu Apps Google Workspace Gmail. ...
  3. On the left, select an organizational unit.
  4. Point to Secure transport (TLS) compliance and click Configure. ...
  5. In the Add setting box, enter a name for the setting and take these steps:

Continue Reading
What does TLS mean in email? ›

Transport Layer Security (TLS) is a standard internet protocol that encrypts email for privacy and secure delivery. TLS prevents unauthorized access of email when it's in transit over internet connections.

See Details
How do I make my connection secure? ›

Contents
  1. Change the default name of your home Wi-Fi.
  2. Make your wireless network password unique and strong.
  3. Enable network encryption.
  4. Turn off network name broadcasting.
  5. Keep your router's software up to date.
  6. Make sure you have a good firewall.
  7. Use VPNs to access your network.
Jul 20, 2022

Find Out More
How do I know if I have secure email? ›

When you send or receive messages in Gmail, a lock icon indicates the level of encryption for the message. The color of the icon changes based on the level of encryption. Green (S/MIME enhanced encryption) : Suitable for your most sensitive information.

Tell Me More
What happens if you set up an email without SSL? ›

With this information, they can easily read all your email and worse, steal confidential information, send out spam or other malicious acts. Don't think anyone would do that to you? A hacker may not be interested in you or your business and snoop on you maliciously.

Show Me More
Is it OK to open mail without SSL? ›

SSL is not strictly necessary for email, but it is often used to secure the connection between an email client and the email server. This is important because it helps protect the privacy of the email messages being transmitted by encrypting them so that they cannot be read by anyone who intercepts the traffic.

Explore More
Do you really need SSL? ›

Every website owner should think about bolstering their site security. Without SSL, your site visitors and customers are at higher risk of being having their data stolen. Your site security is also at risk without encryption. SSL protects website from phishing scams, data breaches, and many other threats.

Continue Reading
How can I tell if an email is using TLS? ›

Do one of the following:
  1. Under the Sender IP Column, the "TLS" tag will be seen for emails was sent using TLS. Click the image to enlarge.
  2. Click the timestamp of the email, navigate to the Actions section to check if the email was sent via TLS. Click the image to enlarge.
Mar 7, 2022

Show Me More

How do I know if TLS is enabled on my mail server? ›

How to determine if a mail server is TLS enabled
  1. Step 1: Look up the mx record for the domain in question. a) Type nslookup. b) Type set type=mx. ...
  2. Step 2: Telnet to the other mail server. a) Type telnet “MX server from step 1” 25, in this case telnet alt1.gmail-smtp-in.l.google.com 25. b) Type EHLO.
Apr 26, 2012

Read The Full Story
Does Gmail use SSL or TLS? ›

Transport Layer Security (TLS) is a security protocol that encrypts email to protect its privacy. TLS is the successor to Secure Sockets Layer (SSL). Gmail always uses TLS by default. ... However, you can add TLS settings that require a secure connection for email to and from specific domains or email addresses.

See Details
Do all email servers use TLS? ›

Your messages are encrypted only if you and the people with whom you exchange email both use email providers that support Transport Layer Security. Not every email provider uses TLS, and if you send or receive messages from a provider that doesn't, your message could be read by eavesdroppers.

Get More Info Here
How do I enable TLS on my mail server? ›

Enable TLS 1.2 on Windows by manually updating the registry files:
  1. Open registry on the server by running regedit in the Run window.
  2. Navigate to the below location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
  3. Add the TLS 1.1 and TLS 1.2 keys under Protocols:
Mar 18, 2022

Continue Reading
How do I find my TLS? ›

Go to https://browserleaks.com/tls to check your TLS version. This site will evaluate your current web browser (including Chrome, Safari, and Edge) and report which versions of TLS it supports. Under "Protocol Support," you'll see a list of all TLS versions, from TLS 1.0 to TLS 1.3.

View More
What is an example of a secure email? ›

Enterprise email systems such as Microsoft Outlook offer email encryption that provides security for data in enterprise email communications. When the plain text in an Outlook email is encrypted, the readable text becomes a scrambled cipher text. Only a private key allows the reader to decrypt the message.

View Details
What is the difference between a secure email and a regular email? ›

Secure email methods typically involve protecting the email account rather than its content. For instance, strong passwords and tough-to-crack security questions can be employed to make it difficult to access accounts.

See More
What is an example of a secure connection? ›

Types of secure connection

SSL (Secure Socket Layer). SSL and its successor, TLS (Transport Layer Security) are cryptographic protocols that protect the communication over the internet. VPN (virtual private network). A VPN encrypts a user's connection to the internet and routes it via one of their servers.

Learn More
Is Gmail a secure email? ›

Gmail uses industry-leading encryption for all messages you receive and send. We never use your Gmail content to personalize ads. Gmail blocks 99.9% of spam, malware, and dangerous links from ever reaching your inbox. When a suspicious email arrives that could be legitimate, Gmail lets you know, keeping you in control.

Discover More Details
Top Articles
A Beginners' Guide to Managing Your Money
What to Do After You Were Denied a Refinance - Experian
Pop Up Campers for sale in Nebraska
Pop-ups Caravans for sale | Caravansforsale.co.uk
Latest Posts
5 Times You Need to Check Your Credit Reports
What Lenders Look at on Your Credit Report
Article information

Author: Carlyn Walter

Last Updated:

Views: 5982

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.