Our TLS-receiving guarantee ensures that all of your emails will be received over an encrypted connection.

If you activate this security feature, we will refuse to receive an email from a server that tries to deliver it without up-to-date transport route encryption. You and the sender will immediately be informed by email that an email was rejected due to security reasons. Even as a layman, you will immediately recognise who is not taking sufficient care of email security.

As the majority of senders nowadays support modern encryption (TLS 1.2 and 1.3) as a standard, you will usually not notice the receiving guarantee in everyday life. The rate of insecure servers is already below 5% (Posteo survey May 2021). Spammers and a few newsletter distributors account for the largest share (>90%) of unencrypted contact attempts.

In this help article we explain how to activate the TLS-receiving guarantee, what happens when an insecure transmission is stopped, and what to do in this case.

Contents

1. How to activate the TLS-receiving guarantee
2. How the TLS-receiving guarantee works
3. What to do if an insecure transmission has been prevented
4. How to deactivate the notification of rejected emails
5. How to deactivate the TLS-receiving guarantee
6. Expert advice

How to activate the TLS-receiving guarantee

1. Click Settings
2. Click My account
3. Click Transport encryption
4. Click Activate TLS-receiving guarantee now

Done. You have activated the TLS-receiving guarantee. Posteo now guarantees to prevent any insecure email transmissions made to your account. If such a case arises, we will inform you by sending an email to a new folder in your Posteo mailbox. The sender will automatically receive an error message. The folder is called: Receiving guarantee notifications. It will be created automatically as soon as the first email has been rejected.

Tip: Whether you manage your email in the webmail interface, on a smartphone or using a local email program such as Outlook or Thunderbird makes no difference: every email that is received goes through the TLS security check.

How the TLS-receiving guarantee works

If a sender’s email server does not support up-to-date encryption, transmission is stopped before the email is transferred to Posteo. The sender automatically receives an error message.

In addition, we will send you an email informing you that a transmission has been stopped. In the email you will find the email address of the sender.

You will find the notification emails in a new folder – Receiving guarantee notifications.

What to do if an insecure transmission has been prevented

If the transmission was stopped, you can decide for yourself: If an unencrypted or not up-to-date encrypted transmission is acceptable for you in this case, deactivate the function briefly and ask the sender to send the email again.

Inform the sender about the missing encryption.

You can also inform the sender (possibly in another way) that emails are being sent unencrypted and ask for an encrypted transmission. You can use the following template for this:

Hello xxx,

please check the security settings of your email servers, apparently they do not support up- to-date TLS encryption.
I have activated a guarantee for secure email reception (TLS) with my provider Posteo to protect myself against data theft and insecure data transmission.

Sending emails that are not encrypted in transit is no longer considered adequate. If they contain personal data such as names and addresses, it is also illegal. In this way, data can simply be tapped on the way through the internet.

I have a corresponding security response from the Posteo servers here:

…

Please correct this deficiency and give me feedback when you’ve done so.

Sincerely,

If an operator does not respond or is evasive, you can ask for assistance at support+tls@posteo.de. We will then also contact the sender again for you. Every newly secured server is a contribution to IT security for everyone.

How to deactivate the notification of rejected emails

You do not want to receive notification emails? You can deactivate notifications for rejected transmissions in the settings. The sender will still receive an error message for each prevented delivery.

1. Click Settings
2. Click My account
3. Click Transport encryption
4. Click Deactivate notification for TLS-receiving guarantee now

Done. You will not receive any more notifications. You can now delete the folder – Receiving guarantee notifications.

How to deactivate the TLS-receiving guarantee

1. Click Settings
2. Click My account
3. Click Transport encryption
4. Click Deactivate TLS-receiving guarantee now

You can now receive emails from insecure email servers.

Expert tips

• In the case of bounce messages, the system does not check whether TLS encryption is possible. You will therefore receive error messages informing you of a failed delivery even if the sending server does not support encryption.
• Emails are guaranteed to always be received via an encrypted transport route.
• Downgrade attacks (in which an attacker can switch off modern, secure encryption) are prevented by the TLS-receiving guarantee.
• Outdated encryption protocols such as SSLv3, TLS 1.0 or TLS 1.1 will not be tolerated.
• Man-in-the-middle attacks are made more difficult. In a man-in-the-middle attack, an attacker masquerades as each of the communication partners and can thus read the communication. If, like Posteo, the receiving server uses DANE, man-in-the-middle attacks are impossible.

Related help articles

1. What is the TLS-sending guarantee and how do I activate it?
2. To and from which other email providers will my emails be encrypted?
3. How does DANE/TLSA technology increase security?
4. Is access to my Posteo account encrypted?