Is email confidential in transit yet?

When I’ve talked to developers about the confidentiality of email in transit, between mail servers, I usually hear one of these responses:

In this post, I explore the current state of server-to-server transport encryption and examine the confidentiality challenges we still face.

There’s a lot of areas to consider here, so I want to start by refining the scope. Email travels quite a bit: from the author of the message’s device to their mail server, between mail servers, and finally to the recipient’s device so they can read it. I’m focusing solely on the confidentiality of messages as they transit between mail servers.

Google publicly tracks the volume of unencrypted email they send. As of 2024, they cite that 2% of the email they send is sent unencrypted. Similarly, Cloudflare reports that 6% of the email they receive is received unencrypted. These messages are vulnerable to passive eavesdropping. This contradicts the notion that everyone uses TLS so we’ve got to dig in further.

Many of these domains are operated by financial institutions, or telecoms. If you decided to require TLS you’d be unable to send mail to the organizations on the right. Looking at the list, you may not know any of these companies, so maybe this doesn’t seem like a problem. But any large email provider sees a meaningful volume of unencrypted outbound email, so “mandatory TLS” still isn’t a reasonable default policy.

Leave a Comment