TLS for Email – What “encrypted email delivery” actually means

December 18, 2025

Anne Allen

NuStart Email Trust Series — Post 5 of 10

TLS for Email protects the email whilst in transit. Email deliverability is full of acronym soup—SPF, DKIM, DMARC, TLS—and most small businesses don’t have time to become part-time email engineers. In this series, I translate the geeky jargon into plain-English concepts and simple actions. You run the business; I’ll do the nerding.


First: what TLS is (and what it isn’t)

TLS stands for Transport Layer Security. In email, TLS usually means encryption while the message is traveling between mail servers.

That’s the key idea:

  • TLS protects email in transit (server-to-server).
  • TLS does not automatically encrypt an email “end-to-end” so only the recipient can read it.
  • TLS does not replace SPF/DKIM/DMARC (those are identity and policy).

Think of TLS like a sealed delivery envelope for the trip across the internet. It protects the message in transit.

TLS for Email

Why TLS matters for nonprofits and small businesses

Most organizations aren’t sending “classified information,” but email still contains things you don’t want exposed or altered:

Nonprofits commonly email about:

  • donor and sponsorship conversations
  • volunteer coordination and schedules
  • grant applications and supporting documents
  • board communications and internal operations
  • beneficiary or program details (often sensitive)

Small businesses commonly email about:

  • quotes, estimates, invoices
  • appointment confirmations and changes
  • client questions, approvals, and files
  • password resets and account notifications

TLS reduces the risk that these emails are readable while being delivered between mail systems. It also supports overall trust signals—many modern mail systems expect secure transport as a baseline.


How email delivery actually happens (quick map)

When you send an email, it usually doesn’t go straight from your laptop to the recipient. It goes:

  1. Your sending service (Google Workspace, Microsoft 365, or a transactional sender)
  2. The recipient’s receiving service (Gmail, Outlook, or their organization’s server)
  3. The email is stored and shown in their inbox

TLS is the secure “tunnel” that can protect the connection during step 1 → 2.


STARTTLS and “opportunistic encryption”

Most email TLS happens via STARTTLS.

Plain-English version:

  • Your mail server connects to the recipient’s mail server.
  • It asks: “Do you support encryption?”
  • If yes, the connection “upgrades” to TLS and delivery happens securely.
  • If no, delivery may still happen without encryption.

When TLS is used “when possible,” that’s called opportunistic TLS. It’s common, and it’s better than nothing—but it’s not strict.


Opportunistic TLS vs “Required TLS”

Opportunistic TLS (common default)

“Encrypt if you can, but deliver anyway if you can’t.”

This is what many systems do by default because the internet is messy and not every destination is configured perfectly.

Required TLS (stricter posture)

“Encrypt or don’t deliver.”

This is more secure, but you typically don’t enforce it globally without a policy framework—because you need a reliable way to tell senders, “For my domain, TLS is required.”

That is exactly what MTA-STS is for (coming next).


“Is my email encrypted?” A realistic answer

For most nonprofits and small businesses using Google Workspace or Microsoft 365, the answer is:

  • Most of the time, yes—in transit.
  • But there are still situations where encryption may not happen or may fail, such as:
    • older or misconfigured destination mail servers
    • certain forwarding/relay paths
    • temporary TLS negotiation issues

If you want higher confidence and visibility (especially if you handle sensitive conversations), the usual next steps are:

  • MTA-STS to publish a “TLS required” policy for inbound delivery
  • TLS-RPT to receive reports when secure delivery fails

What TLS does not solve (important expectations)

TLS for email is not the same as email authentication and it won’t fix:

  • spoofing and impersonation (“someone emailed pretending to be us”) → that’s DMARC
  • “my form emails vanish” issues caused by untrusted sending sources → often a sending method problem
  • inbox vs spam placement driven by reputation/complaints/engagement → a broader deliverability topic

TLS is one layer of a healthy email trust stack.


Practical: how nonprofits and small businesses run into TLS for Email issues

1) Website forms sending directly from the web server

Many sites send form notifications using the hosting server’s built-in mail. That path is often less reliable, less trusted, and not always consistent with modern email security expectations.

A more robust approach is to send website mail through a reputable authenticated sender (transactional email), so:

  • SPF/DKIM/DMARC align cleanly
  • TLS usage is typically strong
  • deliverability improves

2) “Encrypted email” assumptions

It’s common to assume TLS means nobody can ever read the email. TLS protects delivery in transit, but once delivered, the email lives in mailboxes as usual.

3) Vendor sprawl

Nonprofits and small businesses often use several tools (newsletter platform + CRM + ticketing + donation platform + website forms). Each sender can behave differently, which is why consistency across the stack matters.


Quick TLS checklist (nonprofit + small business friendly)

  • Your email provider supports modern TLS (Google/M365 generally do)
  • Website forms and automated emails are sent via a trusted, authenticated method
  • You understand TLS = “protected in transit,” not end-to-end encryption
  • You’re ready to add enforcement and monitoring (MTA-STS + TLS-RPT) if needed

TLS FAQs

If we use Google Workspace or Microsoft 365, do we already have TLS?

Usually, yes—most server-to-server email delivery will use TLS when the recipient supports it. MTA-STS/TLS-RPT adds stricter policy and visibility.

Does TLS mean our donor emails are “secure”?

TLS helps protect messages while they travel between mail servers. It’s a strong baseline. If you handle highly sensitive data, consider using secure portals or other protected workflows for the most sensitive exchanges.

Why do some organizations say “we require TLS”?

They want to ensure email is not delivered unencrypted. Enforcing this broadly often involves standards like MTA-STS (and monitoring with TLS-RPT).

What is STARTTLS?

STARTTLS is the email protocol feature that upgrades an SMTP connection to use TLS encryption, if both servers support it.

Can TLS affect deliverability?

Indirectly. Secure, modern mail practices help with trust. But authentication (SPF/DKIM/DMARC), reputation, and sending behavior are usually bigger drivers.

Do website contact forms use TLS?

The website connection to the visitor may be HTTPS, but the email the form sends is a separate system. The form’s email delivery depends on how the site sends mail (server mail vs authenticated sender) and what that sender supports.

What should we do next after TLS?

If you want more control and reporting for inbound delivery, the next step is MTA-STS (policy) and TLS-RPT (monitoring)

Want NuStart to handle this for you?
If you’d rather not wrestle with DNS records, alignment, and testing, NuStart can audit your current setup and implement a clean, reliable Email Trust configuration end-to-end. Request an Email Trust Audit today to get started.

Up next
Next: Post 6 — MTA-STS for Beginners: Protecting inbound email with secure delivery rules

Anne Allen

About the author

Hi, I’m Anne Allen. I’ve spent the last 15 years living and breathing WordPress. I’m passionate about helping business owners demystify their websites—whether that means keeping your site secure with proper maintenance, setting up complex Gravity Forms, or ensuring your content is accessible through ADA compliance. Let’s make your site work for you.