After you have configured TLS delivery through Protocols > Domains configuration, most domains deliver with TLS appropriately but delivery to some heavily used recipient domains is not using TLS.

Release : 10.7

Component : Scanner

For some heavily used recipient domains, multiple messages may be delivered as part of a single connection transaction. If there is a mixture of non-TLS and TLS deliveries, the receiving domain may not accept the change from non-TLS to TLS delivery, causing some message deliveries to fail. The failed deliveries are queued for another attempt.

This issue is currently being investigated. Configuring the Messaging Gateway to attempt TLS delivery for all messages will generally also resolve this issue.