← Patterns / SP-020

Email Transport Layer Security (TLS) Pattern

Email Transport Layer Security (TLS) Pattern depicting key controls, particularly for companies with many business partners

Release: 08.02 Authors: Martin Sibler Updated: 2025-07-05

Your browser does not support SVG. Download the diagram.

Click on controls in the diagram to view details. Download SVG

When to Use

Transparent solution that requires no end-user interaction in order to have protection of the e-mail communication.

When NOT to Use

E-mail communication must be protected from the senders computer to the receivers computer (end-2-end protection) to ensure that only the intended recipient has access to the information.

Typical Challenges

Not every mail gateway (MTA) of communication partners support TLS (Transport Layer Security). Furthermore, TLS might be supported but is not configured properly. Additional challenges exist if an e-mail outsourcer is involved in TLS connections. Not all MTA’s are able to meet the additional requirements that outsourcers might have in order to establish an Enforced TLS connection.

Threat Resistance

E-mail communication is protected over the Internet in order to prevent eavesdropping of confidential information. No end-2-end protection. A number of residual risks remain with this pattern:

  • Confidentiality for e-mail communication is not guaranteed inside the company’s intranet. In addition confidentiality in an end-2-end communication can not be ensured if a third party (outsourcer) is providing the e-mail gateway functionality (MTA). In this case the TLS communication is terminated at the mail gateway of this third party and the e-mails can be read by the third party. It has to be ensured that e-mail communication is also protected from the third party to the companies internal mail server.
  • Loss of availability- The risk that e-mail communication is blocked between business partners exists for Enforced TLS connections if encryption is not possible. Continuous monitoring of Enforced TLS connections is required to identify encryption failures. Procedures have to be in place to temporary remove the Enforced TLS policy in order to re-establish the e-mail communication until the technical difficulties have been resolved which caused the encryption failure.
  • No 100% encryption guarantee. Opportunistic TLS does not guarantee 100% security – if encryption is not possible e-mails are sent in clear text. Therefore, monitoring of such connections is required to prove that appropriate protection is provided by Opportunistic TLS.
  • TLS stack vulnerability- E-mail communication could be eavesdropped due to vulnerabilities in the TLS communication stack.
  • Identification of MTA- In case of Opportunistic TLS the authentication of the receiving mail server (MTA) cannot be guaranteed as self-signed certificates are accepted.


Assumptions

Protection of the e-mail communication at the infrastructure level (gateway-to-gateway) provides sufficient protection. No end-to-end protection is required.

Mapped Controls (8)

AC: 2AU: 1IA: 1SA: 1SC: 3
  • AC-03 Access Enforcement
  • AC-04 Information Flow Enforcement
  • AU-06 Audit Monitoring, Analysis, And Reporting
  • IA-03 Device Identification And Authentication
  • SA-05 Information System Documentation
  • SC-07 Boundary Protection
  • SC-09 Transmission Confidentiality
  • SC-13 Use Of Cryptography