Star Transport Layer Security (STARTTLS)


STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one. 

Why is STARTTLS important?

SMTP is not secure by default, which means if you were to send an email via SMTP without StartTLS, the e-mail could be intercepted and easily interpreted. This is of particular concern when sending sensitive and personal information such as usernames, passwords, or banking information. 

When an email client uses StartTLS, it notifies the server that the content needs to be encrypted. This way, if the mail is intercepted, the content has been scrambled and is very difficult to decipher. Only the mail server and the mail client have the key to decode the e-message. 

How does STARTTLS work?

StartTLS works with both TLS and SSL protocols. As SMTP always starts as unencrypted, a StartTLS enabled email client will notify the email server that the content is required to be encrypted. 

This notification process begins with the Transmission Control Protocol (TCP) handshake to help the email client and server identify each other. The email server replies to the client when the communication is ready. The client then sends an extended SMTP and StartTLS request to the server. If the server accepts, the client will start the StartTLS connection and encrypt the email message. 

High-Level Explanation

  1. Client establishes existence with the email server (TCP Handshake).
  2. Client checks if the email server supports STARTTLS
  3. Client and email server performs TLS Negotiation for a secured connection.
  4. Encrypted email can then be sent from the client to the email server.




Further information

  1. SendGrid: What is StartTLS
  2. Fastmail: Differences between SSL, TLS, STARTTLS