TLS 1.3 for Email Security.cloud
search cancel

TLS 1.3 for Email Security.cloud

book

Article ID: 441926

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

At Broadcom, we are committed to maintaining the highest security standards for your organization’s email. As part of our ongoing effort to protect against emerging vulnerabilities, we are updating the SMTP TLS protocols and ciphers that Email Security.cloud supports.

Effective 28-May-2026, Email Security.cloud is introducing support for TLS 1.3, which will be prioritized during opportunistic TLS handshakes. This means that servers will try to negotiate TLS 1.3 first; if one side doesn’t support it, the servers “fall back” to TLS 1.2 and its older ciphers.

If TLS enforcement is configured with a specific version of TLS, the mail servers will attempt to negotiate that version. If that version is not available, they will close the connection and will not transmit the email.

Email Security.cloud will retire support for certain outdated and weak encryption protocols, including:

  • SSLv3 (all ciphers) and legacy ciphers, including RC4, SEED, CAMELLIA, and 3DES across TLSv1.0, 1.1, and 1.2.

Environment

Symantec Email Security.cloud

Resolution

Supported Protocols and Ciphers:

Our platform will support the following cipher suites when receiving email. While we recommend the use of TLS 1.3 and TLS 1.2, we will maintain limited support for TLS 1.1 and 1.0 to ensure compatibility with older mail servers.

 

TLS 1.3

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_CCM_SHA256

TLS 1.2

 ECDHE-RSA-AES256-GCM-SHA384

 ECDHE-RSA-CHACHA20-POLY1305

 ECDHE-RSA-AES256-SHA384

 ECDHE-RSA-AES128-GCM-SHA256

 ECDHE-RSA-AES128-SHA256

 DHE-RSA-AES256-GCM-SHA384

 DHE-RSA-CHACHA20-POLY1305

 DHE-RSA-AES256-SHA256

 DHE-RSA-AES128-GCM-SHA256

 DHE-RSA-AES128-SHA256

 AES256-GCM-SHA384

 AES256-SHA256

 AES128-GCM-SHA256

 AES128-SHA256

 ECDHE-RSA-AES256-SHA

 ECDHE-RSA-AES128-SHA

 DHE-RSA-AES256-SHA

 DHE-RSA-AES128-SHA

 AES256-SHA

 AES128-SHA

TLS 1.1

 ECDHE-RSA-AES256-SHA

 ECDHE-RSA-AES128-SHA

 DHE-RSA-AES256-SHA

 DHE-RSA-AES128-SHA

 AES256-SHA

 AES128-SHA

TLS 1

 ECDHE-RSA-AES256-SHA

 ECDHE-RSA-AES128-SHA

 DHE-RSA-AES256-SHA

 DHE-RSA-AES128-SHA

 AES256-SHA

 AES128-SHA

 

Why are we doing this?

  • Improved Security: Obsolete and insecure algorithms were removed. Legacy ciphers like RC4 and 3DES are no longer considered secure by global industry standards. Our data shows that these older protocols account for a tiny fraction of all encrypted mail — the majority of which consists of inbound spam and newsletters. By removing these ciphers, we reduce the attack surface and ensure that your data is protected by modern, high-performance encryption.
  • Performance: Provides faster connection initialization, typically requiring only one round-trip to securely connect.
  • Privacy: The handshake process is encrypted, hiding more information from observers and improving privacy.
  • Quantum-safe ciphers: TLS 1.3 cipher suites are quantum-safe.

 

How will this affect my email flow?

Mail servers will negotiate the strongest protocols and ciphers available to provide more secure communications. However, there is also the chance that some emails will be rejected if the other mail server does not support the same set of ciphers. Most customers will see no impact. Email Security.cloud is designed to automatically negotiate the strongest protocol and cipher supported by the connecting server.  If our analysis indicates that your specific mail traffic is at risk of being rejected due to a lack of modern protocol support, our Support Team will contact you directly to assist with your transition.

 

How can I review which ciphers are used by my partners or non-partners?

  1. You can view the TLS protocols and ciphers used in your mail flow in the Email Data Feed service. Please refer to Data Feeds API Guide: Email Security.cloud.
  2. You can create a Data Protection report to list the ciphers used by your mail flow. Please refer to instructions in Log TLS emails using Data Protection in Email Security.cloud

 

Next Steps

  1. If you maintain enforced TLS policies with partners, please ensure that their systems are compatible with the updated cipher list.
  2. We recommend that you configure your internal mail servers to support at least TLS 1.2 (though TLS 1.3 is preferred). 

Additional Information

KB Articles:

Log TLS emails using Data Protection in Email Security.cloud

TLS ciphers supported by Email Security.cloud

Configure TLS encryption enforcement between your domains and Symantec.cloud  

Documentation:

TLS Email Encryption Overview

Apply TLS enforcements between the Email Security Service infrastructure and and all unenforced domains 

Data Feeds API Guide: Email Security.cloud 10/10/2025

Powered by Wolken Software