What is StartTLS?

What is StartTLS?

Ever wonder how email is securely sent from one server to another? When using Simple Mail Transfer Protocol (SMTP) to send mail, we rely on a combination of StartTLS and Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt our mail and help it safely land in the inbox. 

But what is StartTLS?

StartTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL. StartTLS is used with SMTP and IMAP, while POP3 uses the slightly different command for encryption, STLS. 

We’ll dig into the differences between TLS and SSL, the StartTLS process, and how to test StartTLS for your program. 

StartTLS vs TLS: What's the difference?

StartTLS and TLS aren't competing protocols—they work together. TLS (Transport Layer Security) is the encryption protocol that actually secures your data, while StartTLS is the command that initiates that encryption process.

Key differences:

StartTLS is a protocol command:

• Tells the email server "I want to upgrade this connection to use encryption"

• Begins the negotiation between email client and server

• Works with both TLS and the older SSL protocols

• Allows connections to start unencrypted and upgrade to secure

TLS is the encryption protocol:

• Actually encrypts the data being transmitted

• Provides the security layer that protects email content

• Has multiple versions (TLS 1.0, 1.1, 1.2, 1.3)

• Can work with or without the StartTLS command

In practice, here's what happens:

1. Your email client connects to the server (unencrypted initially)

2. Client sends StartTLS command to request encryption

3. Server responds with available TLS versions

4. Both sides agree on the highest TLS version they both support

5. TLS encryption activates and secures the connection

6. Your email is transmitted using TLS encryption

StartTLS makes email encryption more flexible because it allows the same port to handle both encrypted and unencrypted connections. Without StartTLS, you'd need separate ports for secure and insecure email—which is exactly what happens with implicit TLS on port 465.

StartTLS is the process, TLS is the protection. You need both for secure email transmission.

For even more information on TLS vs. SSL, check out our docs page.

How does StartTLS work?

The StartTLS process

SMTP always starts unencrypted. The StartTLS command starts the negotiation between server and client. Here’s an outline of the communication that happens between the email client and email server.

1. The process begins with the Transmission Control Protocol (TCP) handshake to help both the email client and server identify each other.
2. The server identifies with 220 Ready that the email client can proceed with the communication.
3. The client sends the server “EHLO” to inform the server that the client would like to use Extended SMTP (the more advanced version of SMTP that lets you include images, attachments, etc.).
4. The client sends “250-STARTTLS” to the mail server to ask whether or not StartTLS is accepted.
5. If the server sends back “go head,” the StartTLS connection can be created. 
6. The client restarts the connection and the email message has been encrypted.

Here’s a visual representation of the StartTLS process.



Which port should you use?

The port that uses StartTLS most often is port 587. It often requires email clients to use StartTLS to send mail. Other ports used to send encrypted mail are 25, 465, and 2525. Since port 25 was designed for mail transfer, not submission, your ISP may block email sent through this port. Port 465 is the second most commonly used port for StartTLS.

Opportunistic vs. Enforced TLS

There are a couple of different ways to set up your email encryption program by using either Opportunistic TLS or Enforced TLS:

• Opportunistic TLS (or Explicit TLS) allows the email client to deliver on the highest encryption level the recipient server accepts. If the recipient server does not accept TLS, the email client will negotiate with the server and agree to downgrade to an unencrypted connection. The message will then be sent in an unencrypted, plain text form. This method is useful because you can use the same port for both encrypted and plain text mail.
• Enforced TLS (or Implicit TLS) requires the mail to be sent over a secure connection. If the connection is not encrypted, the mail will be blocked from sending. This method is much more secure than Opportunistic TLS, but does lead to more mail being dropped. 

Both approaches are widely used in the email world, so consider what makes the most sense for your program. If you are sending email that contains sensitive, personal information, it may be best to use Enforced TLS. On the other hand, if you’re sending non-sensitive material, like marketing or promotions, you may be more inclined to use Opportunistic TLS. 

Other TLS use cases

TLS is frequently used for encrypting a variety of communication methods outside of email. Since TLS is a relatively simple, multi-step protocol, it makes it easy to adjust for a variety of communication types. This includes web browsers, SMS, and Voice over IP. In fact, a lot of companies use TLS to encrypt all communication between their web servers and browsers, even if the majority of the communication isn’t sensitive material.

For more information on how Twilio uses TLS, check out Twilio’s Security page.

Why is StartTLS important?

SMTP is not secured by default, which means that if you were to send email over SMTP without StartTLS the email could be intercepted and easily interpreted. This is especially worrisome when sending sensitive, personal information like usernames, passwords, or bank information. 

Without StartTLS, your personal information is at risk of being stolen. 

When an email client uses StartTLS, it informs the server that the content must be encrypted. This way, if the mail is intercepted, the content has been scrambled and is very challenging to decipher. The email server and email client are the only ones that hold the key to decode the message. 

Drawbacks

There are certain drawbacks to using StartTLS. Email clients are susceptible to man-in-the-middle attacks because, in the initial connection between email client and server, the IP addresses are not encrypted. 

Using StartTLS could also add some latency to the SMTP connection. This would not be enough of a delay to make it necessary to send unencrypted email, but it is good to keep in mind.

How do I test StartTLS?

It’s important to test in advance to make sure the server is capable of processing StartTLS. If it isn’t capable of processing StartTLS you could accidentally send a fair amount of email that isn’t encrypted and is, therefore, susceptible to attack vectors.

Here is an example of how you would test StartTLS from SendGrid’s SMTP server.

Troubleshooting common StartTLS errors

"StartTLS is required to send mail" errors are annoying, but it’s usually pretty easy to fix them (at least when you know what’s going wrong):

• Error: "Must issue a STARTTLS command first": Your email client is trying to authenticate before establishing encryption. Solution: Enable StartTLS in your email client settings and double-check you're using the correct port (usually 587).

• Error: "STARTTLS is required": The mail server mandates encryption, but your client isn't requesting it. Solution: Check that StartTLS is enabled in your SMTP configuration, not just SSL/TLS.

• Connection timeout or refused: Your ISP might be blocking the SMTP port you're using. Solution: Try alternative ports—587, 2525, or 465. If port 25 isn't working, this is likely the culprit.

• Certificate verification failed: The server's TLS certificate can't be verified. Solution: Check your date/time settings first (seriously), then verify the server hostname matches your SMTP settings exactly.

• Negotiation failed errors: Your client and server can't agree on a TLS version. Solution: Update your email client or check if the server supports your client's TLS version. Older clients might only support deprecated TLS versions.

Quick diagnostic steps:

1. Test your StartTLS connection manually using telnet (see our testing section above)

2. Verify your SMTP server address and port combination

3. Check if your firewall or antivirus is interfering with SMTP connections

4. Confirm your email provider actually supports StartTLS on the port you're using

If you’re still stuck, the issue is usually in the configuration details. Double-check your authentication method, port number, and guarantee StartTLS is explicitly enabled, not just "SSL/TLS."

How does Twilio SendGrid use StartTLS?

Twilio SendGrid supports TLS v1.2 and higher. Unencrypted and TLS connections are accepted on ports 25, 587, and 2525. Or, you can connect through SSL on port 465. 

We follow Opportunistic TLS and send on the highest encryption level the recipient server accepts. We also offer Enforced TLS. It is your choice whether or not you require your email to be sent over an encrypted connection. If the recipient server does not accept encrypted messages, the message is dropped and we send a block event.

You would mainly interact with StartTLS when initiating the SMTP request to Twilio SendGrid, asking to send mail. Otherwise, Twilio SendGrid handles the matching of the TLS certificates, the rest of the encryption process, and any issues that may come up along the way.

For more information on Twilio SendGrid and SMTP, head over to our docs article, How to Send an SMTP Email. And when you're ready to start sending emails, sign up for a free Twilio SendGrid account and get started. 

Frequently asked questions

Q. What port does StartTLS use?

A. StartTLS typically uses port 587, which is the standard for email submission with encryption. Ports 25 and 2525 also support StartTLS, but port 587 is recommended for client applications.

Q. Is StartTLS secure?

A. StartTLS provides strong security when properly configured, but it's not foolproof. It's vulnerable to man-in-the-middle attacks during the initial unencrypted handshake. For maximum security, use StartTLS with certificate verification enabled.

Q. How do I enable StartTLS?

A. Enable StartTLS in your email client's SMTP settings. Look for options like "Use STARTTLS," "Explicit TLS," or "TLS/StartTLS." Avoid "SSL" or "Implicit TLS" options, which use different encryption methods.

Q. What's the difference between StartTLS and SSL?

A. StartTLS upgrades an existing connection to encrypted, while SSL creates an encrypted connection from the start. StartTLS is more flexible because it allows the same port to handle both encrypted and unencrypted connections.

Q. Why am I getting "StartTLS is required" errors?

A. This error means the mail server requires encryption, but your email client isn't requesting it. Check that StartTLS is enabled in your SMTP configuration and you're using the correct port (usually 587).

Q. Can I use StartTLS with any email provider?

A. Most modern email providers support StartTLS, but older or less secure providers might not. Test your connection first, and consider switching providers if StartTLS isn't supported.