To configure TLS enforcements between your registered domains and ESS:
- Click Services > Encryption.
- Click the TLS Enforcements tab.
- From the table of domains, click either Default Settings or a domain name, depending on the intended enforcement configuration scope.
- Continue configuring the settings found under Outbound TLS enforcement configuration and/or Inbound TLS enforcement configuration.
Note: When you configure enforcements under the Default Settings, they apply to any domains configured to use the Default Settings.
Outbound TLS enforcement configuration
Outbound TLS enforcement means that the ESS infrastructure only accepts SMTP connections from your outbound servers when sent over TLS.
To enable outbound TLS enforcement:
- Check the option, Always enforce TLS outbound from my domain to the Email Security Services infrastructure.
- Click Save.
Important clarifications about this feature:
- If your outbound mail server fails to negotiate TLS with ESS, then ESS rejects the SMTP connection.
- Ensure that your outbound mail servers are TLS-enabled and configured to deliver outbound email over TLS first (issue the StartTLS command).
- If the recipient is part of an outbound TLS enforcement with a Business Partner, then TLS is enforced for onward delivery. Otherwise ESS will deliver using Opportunistic TLS.
Inbound TLS enforcement configuration
Inbound TLS enforcement means that the ESS infrastructure always uses TLS to secure SMTP connections to your domain's inbound mail servers. Before enabling this feature, verify that the inbound mail server is correctly TLS-enabled by running the TLS connectivity Test.
To enable outbound TLS enforcement:
- Check the option, Always enforce TLS inbound from the Email Security Services infrastructure to my domain.
- Click Save.
Important clarifications about this feature
- Run the TLS connectivity Test by navigating to Services > Encryption > TLS Enforcements, and then selecting the specific domain you wish to test inbound TLS delivery for. Under TLS inbound mail server test, click Test.
- Email is not delivered when your inbound mail server does not support TLS, or when ESS fails to authenticate the certificate that your recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to the third party.