Posteo Help Help categories Article

What is the TLS-sending guarantee and how do I activate it?

Our TLS-sending guarantee ensures that all of your emails will be sent over an encrypted connection.

As standard, before sending each email, Posteo attempts to create an encrypted connection with other email servers. If the TLS-sending guarantee is activated for your account, we will only send your email if it can be securely delivered to the recipient. If secure delivery is not possible, the email is not sent and Posteo notifies you via email. You can then decide for yourself whether you would like to send the email to the insecure server or not.

In this help article we explain how to activate the TLS-sending guarantee, what happens when an insecure delivery is stopped, and what to do in this case.

How to activate the TLS-sending guarantee

  1. Click Settings
  2. Click My account
  3. Click Transport route encryption
  4. Click Activate TLS-sending guarantee now

Click "Settings" then "My account" and then under "Transport route encryption" click "Activate TLS-sending guarantee now"

Tip: Whether you manage your email in the webmail interface, on a smartphone or using a local email program such as Outlook or Thunderbird makes no difference: Every email is sent with the TLS security check.

You receive this message when Posteo stops an insecure delivery

If the email server for one or more recipients does not offer encryption, sending to the insecure email system is stopped. We immediately inform you about the stopped delivery by sending you a standard error message with subject "Undelivered Mail Returned to Sender". In the error message you will find:

  • the recipient/s to which no secure delivery was possible, and
  • the cause of the error

The cause of the error when encryption is not offered is always “TLS is required, but was not offered by host”. This means that transport route encryption is required, but is not offered by the recipient.

TLS-sending guarantee: You receive this error message when encryption is not possible

After sending is stopped, you have the following options:

  1. You can inform the recipient (if desired, using a different contact method) that secure sending to their email address is not possible and ask them to provide another email address.
  2. You can temporarily deactivate the TLS-sending guarantee and send the email securely by furnishing it with end-to-end encryption.
  3. You can temporarily deactivate the TLS-sending guarantee and, as an exception, send the email unencrypted/insecurely.

How to deactivate the TLS-sending guarantee

  1. Click Settings
  2. Click My account
  3. Click Transport route encryption
  4. Click Deactivate TLS-sending guarantee now

Click "Settings" then "My account" and then under "Transport route encryption" click "Deactivate TLS-sending guarantee now"

You may now once again send emails to insecure email servers.

How to send a stopped email without TLS

You have deactivated the TLS-sending guarantee and can now once again send emails to insecure email servers. If you wish to send a stopped email without TLS, you can find the email in the sent folder. Please don’t let this distract you – the email was not sent. It is stored there because email servers usually copy emails to the sent folder before sending, which the Posteo servers also do.

  1. Open the Sent folder
  2. Select the message that you wish to send without TLS
  3. Click More
  4. Click Edit as new

In the "Sent" folder, select the email, click "More" and then "Edit as new"

By clicking Edit as new, the email is opened in the usual email editor. You can now send the email simply by clicking Send.

Tip: After sending, don’t forget to reactivate the TLS-sending guarantee.

Expert tips

  • Downgrade attacks (in which an attacker can switch off modern, secure encryption) are prevented by the TLS-sending guarantee.
  • Outdated encryption protocols such as SSLv3 or RC4 will not be tolerated.
  • Man-in-the-middle attacks are made more difficult. In a man-in-the-middle attack, an attacker masquerades as each of the communication partners and can thus read the communication. If, like Posteo, the receiving server uses DANE, man-in-the-middle attacks are impossible.
  • For autoreplies, the system does not check whether TLS-encryption is possible, so that your autoreply will reach all recipients. Please therefore make sure that your autoreply does not contain any sensitive information. n
  • Automatic forwarding that you have set up does not use the TLS-sending guarantee, such that all forwarded emails reach you. Tip: Before setting up automatic forwarding with the help of the TLS-sending guarantee, check whether an encrypted transfer to your target address is possible.

Related help articles