search cancel

Configure TLS encryption enforcement between your domains and


Article ID: 162447


Updated On:




By enforcing Transport Layer Security (TLS) between you and the infrastructure, you have a guarantee that emails will only be sent in TLS between your mail servers and the service.

This enforcement can be configured either for inbound emails, from Symantec Email Security Services (ESS) to your servers, for outbound emails (from your servers to ESS), or both.

  • If your domain has no TLS enforcements configured, emails are sent and received by default using Opportunistic TLS.
  • If ESS receives an email from you or a third-party over Opportunistic TLS, then ESS attempts to deliver the email to the recipient by using Opportunistic TLS.
  • If the recipient mail server does not support TLS, then ESS falls back to clear text delivery; otherwise the email is delivered through TLS.
  • If ESS receives an email in clear text and no TLS enforcements are configured, then ESS delivers the email to the recipient in clear text directly; TLS is not attempted.


To configure TLS enforcements between your registered domains and ESS:

  1. Click Services > Encryption.
  2. Click the TLS Enforcements tab.
  3. From the table of domains, click either Default Settings or a domain name, depending on the intended enforcement configuration scope.
  4. Continue configuring the settings found under Outbound TLS enforcement configuration and/or Inbound TLS enforcement configuration.

Note: When you configure enforcements under the Default Settings, they apply to any domains configured to use the Default Settings.

Outbound TLS enforcement configuration

Outbound TLS enforcement means that the ESS infrastructure only accepts SMTP connections from your outbound servers when sent over TLS.

To enable outbound TLS enforcement:

  1. Check the option, Always enforce TLS outbound from my domain to the Email Security Services infrastructure.
  2. Click Save.

Important clarifications about this feature:

  • If your outbound mail server fails to negotiate TLS with ESS, then ESS rejects the SMTP connection.
  • Ensure that your outbound mail servers are TLS-enabled and configured to deliver outbound email over TLS first (issue the StartTLS command).
  • If the recipient is part of an outbound TLS enforcement with a Business Partner, then TLS is enforced for onward delivery. Otherwise ESS will deliver using Opportunistic TLS.

Inbound TLS enforcement configuration

Inbound TLS enforcement means that the ESS infrastructure always uses TLS to secure SMTP connections to your domain's inbound mail servers. Before enabling this feature, verify that the inbound mail server is correctly TLS-enabled by running the TLS connectivity Test

To enable outbound TLS enforcement:

  1. Check the option, Always enforce TLS inbound from the Email Security Services infrastructure to my domain.
  2. Click Save.

Important clarifications about this feature

  • Run the TLS connectivity Test by navigating to Services > Encryption > TLS Enforcements, and then selecting the specific domain you wish to test inbound TLS delivery for. Under TLS inbound mail server test, click Test
  • Email is not delivered when your inbound mail server does not support TLS, or when ESS fails to authenticate the certificate that your recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to the third party.