Before the birth of the modern Internet, e-mail was primarily used for exchanging messages across private networks where there was minimal risk of interception. As the use of e-mail proliferated for business and e-commerce purposes, mail delivery continued to rely on protocols that were not designed with information security concerns in mind. Over time, techniques were developed and adopted to improve the security of e-mail as it traveled across the Internet.
One of the techniques used to improve the security of email is to encrypt the SMTP communication channel through a technique known as TLS (transport layer security). TLS ensures that a message and its metadata is encrypted as it passes between the sending and receiving mail server. It’s important to note that the scope of TLS is simply to encrypt data in transit. It does not enforce any security guarantee regarding how the message is stored or delivered to the recipient.
With the rapid increase in adoption of TLS over the last several years, providers, including Gmail, are preparing to notify users when they receive messages that have not been encrypted in transit. Mailgun is prepared for this important change in the industry.
By default, Mailgun attempts to take advantage of TLS when it is supported by the receiving mail server. In these exchanges, we also check the validity and legitimacy of the mail server’s certificate. In situations where a server doesn’t support TLS, we simply send the message unencrypted. For many users, these are reasonable defaults, however, more companies have requirements that mandate the use of TLS for message exchange. As of today, Mailgun gives you the ability to configure these settings in the control panel on a per-domain basis.
Once you navigate to your domain, you can expand the “Security Settings for Outgoing Mail” section where you will be able to configure whether the domain forces TLS or uses the default opportunistic mode and if strict certificate validation is enforced.
Mailgun also offers the ability to configure these settings on a per-message basis. Any setting that is applied at the message level overrides the settings applied to the domain. More information about setting and configuring the TLS settings for your domain is available in our documentation.
If you have questions about this new feature, please reach out to a member of our support team by creating a ticket in the Help Center.
Last updated on August 20, 2019