Incoming TLS (Transport Layer Security)
Once your domains MX (Mail Exchanger) records point to our service, any third party senders striking up a protocol connection and issuing an EHLO command, will be presented with the STARTTLS command
If the sending server then initiates a TLS handshake and confirms that the following data will be exchanged via TLS the inbound transaction process will be encrypted.
Please be advised that we will always present third party senders with the opportunity to send inbound to our service via TLS, but it is for the sender to confirm, commit to the handshake and transmit via TLS
Encryption Module (Incoming connections)
If you subscribe to MPmail's encryption module, you may create a rule that stipulates MPmail should only accept inbound email to your domains via TLS
If the sender attempts to send via SMTP without TLS encryption the sender will receive an NDR and the senders send connector logs will show an entry similar to the below:
Sep 15 13:20:05 manageprotect /smtp: 89C1516055E: to=<firstname.lastname@example.org>, relay=mx101.manageprotect.com[126.96.36.199]:25, delay=3.9, delays=0.02/0.01/1.2/2.7, dsn=5.7.10, status=bounced (host mx101.manageprotect.com[188.8.131.52] said: 554 5.7.10 encryption rule based rejected TLS required. (in reply to end of DATA command))
The TLS encryption can be configured either as "forced" or "if possible" also known in technical terms as 'Mandatory' or 'Opportunistic'.
If customers subscribe to MPmail's add on encryption service, activated within the Control Panel under Management/Encryption section. Customers are then able to create customised outbound - sending TLS encryption rules, which can be domain specific.
For example, adding a 'Forced'/'Mandatory' TLS policy:
all outbound email sent from mydomain.com to businessdomain.com should be sent via forced TLS (Our service will send to the recipient domain via TLS)
If the recipient domain does not support TLS the email will not fail over to SMTP the email will fail to send : this is a 'Mandatory TLS' rule
For example, adding a 'If possible'/'Opportunistic' TLS policy:
all outbound email sent from mydomain.com to businessdomain.com should be sent via TLS if possible (if the recipient supports TLS)
If the recipient domain does not support TLS the email will then fail over to SMTP and will be sent
Important note: The "FORCED" option in this configuration is a chargeable extra.