--- title: "What is TLS encryption and how does it work? | DuoCircle" description: "What is TLS encryption and how does it work?" image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/email-security/what-is-tls-encryption-and-how-does-it-work/" --- Quick Answer TLS (Transport Layer Security) is a cryptographic protocol that encrypts data in transit between two endpoints, replacing the older SSL standard. The IETF released TLS 1.0 in 1999; the current version, TLS 1.3, was published as RFC 8446 in 2018\. For email, TLS protects SMTP, IMAP, and POP3 connections in two ways: STARTTLS upgrades a plaintext connection to encrypted mid-session (port 25/587 SMTP, 143 IMAP, 110 POP3); implicit TLS starts encrypted from the first byte (port 465 SMTPS, 993 IMAPS, 995 POP3S). The TLS handshake exchanges supported cipher suites, validates the server certificate against a trusted CA chain, and derives session keys via Diffie-Hellman (or ECDHE in modern deployments) so even a recorded session cannot be decrypted later if the server's long-term key is compromised. What is TLS encryption and how does it work? Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2024/09/What-is-TLS-encryption-and-how-does-it-work.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fwhat-is-tls-encryption-and-how-does-it-work%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20is%20TLS%20encryption%20and%20how%20does%20it%20work%3F&url=undefined%2Fblog%2Femail-security%2Fwhat-is-tls-encryption-and-how-does-it-work%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fwhat-is-tls-encryption-and-how-does-it-work%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fwhat-is-tls-encryption-and-how-does-it-work%2F&title=What%20is%20TLS%20encryption%20and%20how%20does%20it%20work%3F "Share on Reddit") [ ](mailto:?subject=What%20is%20TLS%20encryption%20and%20how%20does%20it%20work%3F&body=Check out this article: undefined%2Fblog%2Femail-security%2Fwhat-is-tls-encryption-and-how-does-it-work%2F "Share via Email") ![TLS encryption](https://media.mailhop.org/duocircle/images/2024/09/sender-policy-framework-3.jpg) TLS, which is short for [Transport Layer Security](https://www.techtarget.com/searchsecurity/definition/Transport-Layer-Security-TLS), is an [email security](/) protocol based on cryptography. It facilitates the end-to-end security of data transmitted between applications over the Internet. Most people know it as the padlock icon that appears in web browsers when a secure session is established. _But there is more to it, it’s also used in emails, file transfers, video and audio conferencing, instant messaging, and voice-over IP_. The overall aim of the TLS is to add an **extra layer of security**, preventing [threat actors](https://www.bleepingcomputer.com/news/security/notorious-fin7-hackers-sell-edr-killer-to-other-threat-actors/) from hijacking connections between internet-enabled devices. It lets you know whether the person you are communicating with is actually who they are claiming to be. TLS was proposed by the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet%5FEngineering%5FTask%5FForce), and its premier version was **released in 1999**. We currently use the TLS 1.3 version, which was published in 2018\. ## What does TLS do? _Before understanding the TLS process, you should know that email is usually exchanged using SMTP to send and relay messages_. Other protocols like IMAP and POP3 are used to retrieve emails from a server. While SMTP takes care of the **delivery of email** from the sender’s server to the receiver’s, IMAP/POP3 is used by the recipient’s client to fetch the email from the mail server. By default, [SMTP, POP3, and IMAP](/email-security/email-protocols-the-differences-between-imap-pop-and-smtp/) do not encrypt [email traffic](https://emailanalytics.com/email-traffic/), which means that data, including the contents of emails, can be intercepted and read by [malicious actors](https://www.infosecurity-magazine.com/news/github-distribute-fake-exploits/). TLS helps address this by **encrypting the connection**. There are two ways to secure emails using TLS- [![email delivery](https://media.mailhop.org/duocircle/images/2024/09/hosted-email-server-2448.jpg)](https://media.mailhop.org/duocircle/images/2024/09/hosted-email-server-2448.jpg) STARTTLS STARTTLS is a command used to **upgrade an existing plaintext connection** (unencrypted) to an encrypted one using TLS. It works with both [SMTP](/email/outbound-smtp) (for sending emails) and IMAP/POP3 (for receiving emails). The process begins when the client connects to the server over a plain, encrypted connection. _Then, the client sends the ‘STARTTLS’ command to signal the intent to upgrade the connection to a secure one_. If the **server responds positively**, the TLS handshake is established, creating a secure and encrypted session. After the handshake process is completed, communication continues over the encrypted connection, ensuring the data is protected. Implicit TLS If the process is done using Implicit TLS, then the connection starts as encrypted from the beginning, and there is no need for an upgrade using the **STARTTLS command**. In this method, the client directly initiates a connection over TLS, and the communication remains encrypted throughout the session. ### TLS handshake process Regardless of whether **STARTTLS or Implicit TLS** is used, the handshake process remains the same. #### Step 1: Client Hello The client ([mail server](https://www.cloudflare.com/learning/email-security/what-is-a-mail-server/) or email client) initiates a connection with the server by sending a Client Hello message. This message includes a list of supported encryption algorithms (cipher suites) such as AES, RSA, ECDHE, etc., supported TLS versions (e.g., TLS 1.2, TLS 1.3), and random data for **generating keys**. #### Step 2: Server Hello The server responds with a Server Hello message, which contains: - The chosen **cipher suite** (based on what the client supports) - The server’s digital certificate (public key), issued by a [Certificate Authority (CA)](https://www.digicert.com/blog/what-is-a-certificate-authority) to prove its identity - Random data for generating keys - _In some cases, the server may request the client’s certificate (for mutual authentication, although this is rare in email exchanges)_. #### Step 3: Certificate verification The client verifies the server’s certificate by evaluating whether it’s **valid and trusted**. This is done by verifying the signature with the CA’s public key. If it matches, the connection continues; otherwise, it fails. [![ public key ](https://media.mailhop.org/duocircle/images/2024/09/spf-permerror-2.jpg)](https://media.mailhop.org/duocircle/images/2024/09/spf-permerror-2.jpg) #### Step 4: Key exchange and session key generation To generate a session key, the client and server use the **random data** exchanged during the Hello phase and the server’s public key. In older versions like TLS 1.2, the client encrypts a pre-master secret with the server’s [public key](https://www.investopedia.com/terms/p/public-key.asp) and sends it to the server. However, the recent **TLS 1.3 version** uses a faster and more secure key exchange mechanism, which ensures forward secrecy. In simpler words, it ensures that even if the [private key](https://utimaco.com/service/knowledge-base/keys-secrets-management/private-key) is compromised in the future, past communications will remain secure. #### Step 5: Handshake completion Once the session key is established, the client and server send a message confirming that the handshake is complete. The communication is now encrypted, and both parties can **exchange email data securely**. ## Difference between SSL and TLS [SSL and TLS](https://www.ibm.com/docs/zh/i/7.3?topic=concepts-secure-sockets-layer-transport-layer-security) offer the same purpose, which is why most people use them interchangeably; however, that’s wrong because there are differences between the two **security protocols**. | Factors | SSL | TLS | | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Protocol version and security | SSL has gone through several versions, with the last being SSL 3.0\. It is now considered outdated and insecure due to known vulnerabilities, such as the [POODLE attack](https://www.darkreading.com/cyberattacks-data-breaches/-poodle-attacks-kills-off-ssl-3-0). | TLS is an updated, more secure protocol. Its current versions (TLS 1.2 and TLS 1.3) offer better security features, including stronger encryption algorithms, improved key exchange mechanisms, and resistance to many vulnerabilities present in SSL. | | Handshake process | SSL uses a fixed, more rigid handshake process with certain vulnerabilities. For example, SSL allows weaker encryption algorithms and doesn’t support modern cryptographic suites. | TLS has a more flexible handshake, which allows the negotiation of more secure encryption algorithms and key exchange methods. Starting with TLS 1.3, some handshake steps have been optimized for faster connections and enhanced security by removing older, insecure [cryptographic algorithms](https://www.geeksforgeeks.org/basics-of-cryptographic-algorithms/). | | Cipher suites and algorithms | SSL relies on older cipher suites and hashing algorithms, many of which are now deprecated or vulnerable (like MD5 and SHA-1). | TLS uses stronger and more modern [encryption algorithms](https://www.techopedia.com/definition/1778/encryption-algorithm), such as AES and ChaCha20, and advanced cryptographic methods like ECDHE (Elliptic Curve Diffie-Hellman Ephemeral), for key exchanges, offering stronger protection against [eavesdropping](https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html) and tampering. | ## Final words TLS should be combined with [SPF](/resources/what-is-spf), [DKIM](/resources/what-is-dkim), and DMARC to provide a **robust defense** against email-based menaces. Together, these technologies facilitate confidentially and authentication while improving the deliverability rate and [domain reputation](https://medium.com/@nicoliawiles/what-is-domain-reputation-and-why-does-it-matter-prime-pr-ecb6ab2ecc2c). To get started with [DMARC](/resources/what-is-dmarc), reach out to us. ## Topics DKIMDMARCemail securityspf ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Email Security 12m DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)[ Email Security 5m Email Monitoring Tools: A Complete Guide to Protecting Your Email Ecosystem May 7, 2026 ](/blog/email-monitoring-tools-guide-protecting-your-email-ecosystem-security/)[ Email Security 6m 5 efficient email security techniques for advanced persistent threats Dec 3, 2024 ](/blog/email-security/5-efficient-email-security-techniques-for-advanced-persistent-threats/)[ Email Security 4m A practical guide on checking your email health Dec 26, 2025 ](/blog/email-security/a-practical-guide-on-checking-your-email-health/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"What is TLS encryption and how does it work?","description":"What is TLS encryption and how does it work?","url":"https://www.duocircle.com/blog/email-security/what-is-tls-encryption-and-how-does-it-work/","datePublished":"2024-09-10T17:51:58.000Z","dateModified":"2025-08-22T12:17:27.000Z","dateCreated":"2024-09-10T17:51:58.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/what-is-tls-encryption-and-how-does-it-work/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, spf","wordCount":991,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/09/sender-policy-framework-3.jpg","caption":"TLS encryption","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"What is TLS encryption and how does it work?","item":"https://www.duocircle.com/blog/email-security/what-is-tls-encryption-and-how-does-it-work/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"What is TLS encryption and how does it work?","item":"https://www.duocircle.com/blog/email-security/what-is-tls-encryption-and-how-does-it-work/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"What is TLS encryption and how does it work?","description":"What is TLS encryption and how does it work?","url":"https://www.duocircle.com/blog/email-security/what-is-tls-encryption-and-how-does-it-work/","datePublished":"2024-09-10T17:51:58.000Z","dateModified":"2025-08-22T12:17:27.000Z","dateCreated":"2024-09-10T17:51:58.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/what-is-tls-encryption-and-how-does-it-work/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, spf","wordCount":991,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/09/sender-policy-framework-3.jpg","caption":"TLS encryption","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```