U.S. DollarEuroBritish PoundCanadian DollarsAustralian DollarsIndian RupeesChina Yuan RMBMore Info →
Email encryption: What is SSL and TLS?
In this article, we will explore SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols, how they work, their differences, and their importance for email security.
You will gain a clear understanding of how SSL and TLS protect data during transmission, keeping your messages private and secure.
When it comes to email communication, you need to protect your data. One way to protect your correspondence is by using encryption protocols. These protocols secure the connection between the email client and the server, so only the client and server can decrypt the message.
Implementing encryption protocols is necessary to protect data during transmission to the server. You could face serious consequences without encryption like data breaches and confidential information being lost.
Overall, using encryption protocols isn’t just a technical necessity; it is essential to maintain a safe and secure email environment.
By using SSL and TLS for email encryption, sensitive information, like passwords, personal data, or business messages, is better protected. This is done by being converted into an unreadable format that can only be deciphered by the recipient with the right decryption keys.
To better understand how your data is transferred between servers, you need to know how the handshake process works. In this process, two exchanging parties, such as a client and a server, establish a secure connection through a series of steps.
Mainly, agreeing on the protocols and security measures they will use to protect the exchanged data, and then exchanging cryptographic keys.
The critical difference between SSL and TLS handshakes lies in their complexity and efficiency. The SSL handshake process is no longer used because SSL requires more complex and time-consuming steps to establish a connection. TLS, on the other hand, streamlines this process, which results in a more secure and efficient connection and prevents security issues.
The two names are often used interchangeably, and you will frequently see a reference to SSL when referring to TLS. The term SSL/TLS is also common. The difference in the encryption method is only in the name and port you use, so when you see that an email client offers you an SSL connection, this is a reference to TLS.
As we discuss SSL and TLS, it is also important to mention the STARTTLS extension. It is used in various communication protocols, such as SMTP, IMAP, and POP3, that allow an existing unencrypted connection to be converted into a secure connection using TLS.
Unlike traditional SSL/TLS connections, where encryption is established from the start of the session, STARTTLS initiates an unencrypted connection first and then upgrades it to a secure connection. This allows encryption to be applied without the need to establish a new connection.
After the successful completion of the handshake, a secure connection is established, enabling secure data transfer between the client and the server. This process keeps data transmission secure, protecting it from being intercepted or tampered with while traveling over the Internet.
When connecting your email service to an email client (like Outlook, Thunderbird, or Apple Mail), understanding the difference between SSL/TLS and STARTTLS/TLS is essential to make sure your connection is secure and configured correctly.
1. SSL/TLS Connection ensures dedicated security from the start
With SSL/TLS, the connection between your email client and the email server is encrypted as soon as the connection is established. When setting up your email client via SSL/TLS, you will need to use the secure ports:
SMTP (sending emails): Port 465
IMAP (retrieving emails): Port 993
POP3 (retrieving emails): Port 995
This option provides a straightforward, always-secure connection. However, you need to ensure that your email client supports these ports and protocols.
2. STARTTLS/TLS connection upgrades an unencrypted connection
STARTTLS begins with an unencrypted connection on a standard port and then upgrades it to a secure TLS connection. In this case, standard ports are used:
SMTP: Port 587
IMAP: Port 143
POP3: Port 110
This is useful if your email server uses the same port for both encrypted and unencrypted traffic. With STARTTLS, you can enable encryption without needing dedicated ports, making setup easier for users connecting to servers that support this method.
NOTE: As of now, Namecheap has stopped using TLS 1.0 and 1.1 due to several significant security vulnerabilities, and SSL is no longer used due to weak encryption methods. TLS, which replaced SSL, offers stronger cryptographic protocols and better protection against modern attacks. TLS 1.2 and TLS 1.3 are now the standard, providing more secure, efficient encryption.
When it comes to exchanging data with an email client, it is important to configure the correct protocol to ensure proper communication. Otherwise, you may encounter errors such as dropped connections, authentication issues, or the inability to send messages.
For secure email transmission, using the correct protocol allows encrypted and secure communication between the client and server. When sending or receiving mail, you need to make sure your email client complies with the required protocol settings - this is crucial for smooth operation.
If you encounter any errors while connecting to the email client using the correct settings, we recommend verifying whether the client supports TLS 1.2 and TLS 1.3. Additionally, make sure that your network and firewall settings are not blocking the connection. If the issue persists, check for any software updates with your mail client, as outdated versions may not support newer encryption standards.
Finally, try testing your connection on a different network or device to rule out any local connection issues.
You may also encounter difficulties connecting to your email client due to your operating system not supporting TLS 1.2 and TLS 1.3. For example, older versions of Windows (such as Windows 7 or earlier) may not support TLS 1.2 by default. Even on some systems running Windows 8 or 10, these protocols might need to be manually enabled or require specific updates to function correctly.
As TLS 1.2 and TLS 1.3 are now the minimum standard for secure communication with many modern email servers, failure to support these versions could result in connection errors or security-related issues when establishing a secure email connection.
To prevent such issues, it is important to regularly check for updates in both your operating system and email client. Most modern email clients support TLS 1.2 and 1.3 by default, but older versions may not. Microsoft started enabling TLS 1.2 support by default starting with Windows 7 via system updates.
If you are using an older version of Windows, it’s highly recommended that you either upgrade to a newer version or apply the necessary updates to ensure compatibility with these secure protocols. Failure to do so may result in connectivity issues and security weaknesses when communicating with email servers that require TLS 1.2 or higher.
Here's an example of a common error you may encounter in Outlook on Windows 7:
Outlook 2013 on Windows 7 can establish a secure POP3 connection using SSL, but it is essential to ensure that both Outlook and Windows 7 are updated to support the latest versions of TLS.
Even with the correct configuration, server settings, and ports, the issue can only be resolved by upgrading the operating system to a version that supports modern secure protocols and updating the email client to the latest version.
Let’s take a look at the most common errors you could face when connecting to an email client:
Error code 535, 530: "Authentication failed" or "Login failed"
Most likely, you are seeing this error because your username or password is incorrect. We recommend checking them by logging into your mailbox and making sure they don't contain any extra characters or spaces. If necessary, change your password.
As well as this, the server authentication method and your email client settings may not match. Make sure they are configured correctly.
Error code 421: "Unable to connect"
The error indicates that an incorrect port number is being used for SSL/TLS connections (for example, using port 25 for SMTP, which is primarily used for server-to-server email transmission, instead of 465 or 587 for secure client-to-server connections).
Error code 501, 535: "Unable to authenticate" or "Invalid login credentials"
Double-check that the Server/Host name, Port, Encryption method, and login details you are using are valid:
Incoming server (IMAP): 993 port for SSL, 143 port for TLS. Incoming server (POP3): 995 port for SSL, 110 port for TLS. Outgoing server (SMTP): 465 port for SSL, 587 port for TLS.
If you use our Private Email service, use mail.privateemail.com for both Incoming and Outgoing Servers.
Alternatively, you can try the SMTP (Outgoing) Server name - smtp.privateemail.com.
To fetch incoming mail and send out emails from a mailbox created on our hosting, you can find the Server name in the welcome email in the section Account Information, or follow the guide here.
Error code 10060, 10061: "Connection timed out"
The email client cannot establish a connection during the timeout period. Ensure your internet connection is stable and that no firewalls or antivirus programs are blocking it. You can also check the connection from another network or device to make sure the issue is local.
That's it!
If you encounter any issues connecting to the email client, feel free to contact our support team so we can look into the matter and help you resolve it.
