Is End-to-End Encryption Supported for Email?

Yes! All of our email services and systems support STARTTLS as well as TLS/SSL for all protocols including SMTP, IMAP and POP3. For our Windows (SmarterMail) systems, ActiveSync (EAS), Exchange Web Services (EWS), and MAPI (Exchange) for Outlook are also secured. These measures encrypt email in transit between your devices, our servers, and destination servers when they are compatible.

Transport encryption prevents eavesdropping and tampering on untrusted networks. Email was originally designed without built-in security, so messages often crossed the internet in plaintext. Enabling TLS closes that gap for the connection itself. While this is not message-level end-to-end encryption like S/MIME or PGP, it is the industry-standard first layer that protects credentials, headers, and content from passive interception. Compliance requirements frequently mandate these controls.

#Supported Encryption Protocols and Features

Our mail servers negotiate the strongest mutually supported TLS version and cipher suite. STARTTLS upgrades an existing plaintext session to encrypted on ports 25, 587, 143, and 110. Implicit TLS uses dedicated encrypted ports from the start: 465 for SMTPS, 993 for IMAPS, and 995 for POP3S. Clients should be configured to require TLS; we reject or log connections that downgrade. This configuration reduces the attack surface against man-in-the-middle attempts that try to force plaintext.

• SMTP submission on port 587 with STARTTLS is the recommended outbound path to avoid ISP blocking of port 25
• IMAP on port 993 (implicit TLS) is preferred for desktop and mobile clients retrieving mail
• POP3 on port 995 (implicit TLS) for clients that delete mail from the server after download

#Windows-Specific Secure Access Methods

On Windows hosting platforms, SmarterMail provides additional encrypted channels beyond the standard protocols. ActiveSync (EAS) synchronizes mail, calendar, and contacts to mobile devices over HTTPS. Exchange Web Services (EWS) powers Outlook connectivity for folder sharing and free/busy lookups. MAPI over HTTPS secures the full rich client experience for desktop Outlook. All of these pathways are protected with valid TLS certificates and modern protocol versions so that credentials and data never traverse the network unprotected.

#Secure Delivery Between Different Providers

Please note that email delivery (both incoming and outgoing) is always handled securely when possible, however, both endpoints must support and agree upon a secured delivery and not all 3rd party email systems support encrypted connections. Our outbound servers attempt TLS with every destination and log the result. If the remote server does not advertise STARTTLS or presents an invalid certificate, delivery falls back to plaintext. Inbound mail from external systems is accepted on secure ports; we do not force plaintext inbound. For sensitive information, verify the recipient domain supports TLS before transmission.

#Testing Encryption on Inbound and Outbound Servers

You can easily test a recipient's server here: https://www.checktls.com/ using the Test To address field. The tool performs a full handshake check, certificate validation, and cipher strength report. Test your own hosted mailbox by entering your ASPnix email address in the Test From field on the same site. Look for green pass results on TLS version, certificate trust, and successful STARTTLS negotiation. Schedule periodic checks after certificate renewals or DNS changes. Failures often trace to expired certificates, mismatched hostnames, or overly restrictive firewall rules.

using System.Net.Mail;
using System.Net;

SmtpClient client = new SmtpClient("mail.yourdomain.com", 587);
client.EnableSsl = true;
client.Credentials = new NetworkCredential("username", "password");
client.DeliveryMethod = SmtpDeliveryMethod.Network;

MailMessage message = new MailMessage();
message.From = new MailAddress("you@yourdomain.com");
message.To.Add("recipient@example.com");
message.Subject = "Secure test";
message.Body = "This message was sent over TLS.";

client.Send(message);

#Client Configuration Steps and Common Pitfalls

Configure clients to require encryption rather than use opportunistic mode. In Outlook, open Account Settings, select the server, click More Settings, go to the Advanced tab and check "This server requires an encrypted connection (SSL/TLS)" while setting the correct ports. Thunderbird users should choose SSL/TLS for connection security and Normal password for authentication. Avoid legacy SSL 3.0 or TLS 1.0; our servers enforce TLS 1.2 minimum. Common pitfalls include mixing port and security type (e.g., port 465 with STARTTLS instead of implicit), ignoring certificate name mismatch warnings, and using self-signed certificates on custom domains without proper SAN entries.

• Always prefer port 587 with STARTTLS for outbound to reduce blocking by consumer ISPs
• Verify the certificate chain includes a recognized root CA and the hostname matches exactly
• Monitor server logs for TLS handshake failures after client or certificate updates

Configure clients for TLS, test both directions with CheckTLS, and confirm recipient support before sending sensitive data. See our related guides on setting up Outlook with SmarterMail and enabling two-factor authentication for mailboxes to build layered email security.