NuStart Email Trust Series — Post 5 of 10
TLS for Email protects the email whilst in transit. Email deliverability is full of acronym soup—SPF, DKIM, DMARC, TLS—and most small businesses don’t have time to become part-time email engineers. In this series, I translate the geeky jargon into plain-English concepts and simple actions. You run the business; I’ll do the nerding.
First: what TLS is (and what it isn’t)
TLS stands for Transport Layer Security. In email, TLS usually means encryption while the message is traveling between mail servers.
That’s the key idea:
- TLS protects email in transit (server-to-server).
- TLS does not automatically encrypt an email “end-to-end” so only the recipient can read it.
- TLS does not replace SPF/DKIM/DMARC (those are identity and policy).
Think of TLS like a sealed delivery envelope for the trip across the internet. It protects the message in transit.

Why TLS matters for nonprofits and small businesses
Most organizations aren’t sending “classified information,” but email still contains things you don’t want exposed or altered:
Nonprofits commonly email about:
- donor and sponsorship conversations
- volunteer coordination and schedules
- grant applications and supporting documents
- board communications and internal operations
- beneficiary or program details (often sensitive)
Small businesses commonly email about:
- quotes, estimates, invoices
- appointment confirmations and changes
- client questions, approvals, and files
- password resets and account notifications
TLS reduces the risk that these emails are readable while being delivered between mail systems. It also supports overall trust signals—many modern mail systems expect secure transport as a baseline.
How email delivery actually happens (quick map)
When you send an email, it usually doesn’t go straight from your laptop to the recipient. It goes:
- Your sending service (Google Workspace, Microsoft 365, or a transactional sender)
- The recipient’s receiving service (Gmail, Outlook, or their organization’s server)
- The email is stored and shown in their inbox
TLS is the secure “tunnel” that can protect the connection during step 1 → 2.
STARTTLS and “opportunistic encryption”
Most email TLS happens via STARTTLS.
Plain-English version:
- Your mail server connects to the recipient’s mail server.
- It asks: “Do you support encryption?”
- If yes, the connection “upgrades” to TLS and delivery happens securely.
- If no, delivery may still happen without encryption.
When TLS is used “when possible,” that’s called opportunistic TLS. It’s common, and it’s better than nothing—but it’s not strict.
Opportunistic TLS vs “Required TLS”
Opportunistic TLS (common default)
“Encrypt if you can, but deliver anyway if you can’t.”
This is what many systems do by default because the internet is messy and not every destination is configured perfectly.
Required TLS (stricter posture)
“Encrypt or don’t deliver.”
This is more secure, but you typically don’t enforce it globally without a policy framework—because you need a reliable way to tell senders, “For my domain, TLS is required.”
That is exactly what MTA-STS is for (coming next).
“Is my email encrypted?” A realistic answer
For most nonprofits and small businesses using Google Workspace or Microsoft 365, the answer is:
- Most of the time, yes—in transit.
- But there are still situations where encryption may not happen or may fail, such as:
- older or misconfigured destination mail servers
- certain forwarding/relay paths
- temporary TLS negotiation issues
If you want higher confidence and visibility (especially if you handle sensitive conversations), the usual next steps are:
- MTA-STS to publish a “TLS required” policy for inbound delivery
- TLS-RPT to receive reports when secure delivery fails
What TLS does not solve (important expectations)
TLS for email is not the same as email authentication and it won’t fix:
- spoofing and impersonation (“someone emailed pretending to be us”) → that’s DMARC
- “my form emails vanish” issues caused by untrusted sending sources → often a sending method problem
- inbox vs spam placement driven by reputation/complaints/engagement → a broader deliverability topic
TLS is one layer of a healthy email trust stack.
Practical: how nonprofits and small businesses run into TLS for Email issues
1) Website forms sending directly from the web server
Many sites send form notifications using the hosting server’s built-in mail. That path is often less reliable, less trusted, and not always consistent with modern email security expectations.
A more robust approach is to send website mail through a reputable authenticated sender (transactional email), so:
- SPF/DKIM/DMARC align cleanly
- TLS usage is typically strong
- deliverability improves
2) “Encrypted email” assumptions
It’s common to assume TLS means nobody can ever read the email. TLS protects delivery in transit, but once delivered, the email lives in mailboxes as usual.
3) Vendor sprawl
Nonprofits and small businesses often use several tools (newsletter platform + CRM + ticketing + donation platform + website forms). Each sender can behave differently, which is why consistency across the stack matters.
Quick TLS checklist (nonprofit + small business friendly)
- Your email provider supports modern TLS (Google/M365 generally do)
- Website forms and automated emails are sent via a trusted, authenticated method
- You understand TLS = “protected in transit,” not end-to-end encryption
- You’re ready to add enforcement and monitoring (MTA-STS + TLS-RPT) if needed
TLS FAQs
If we use Google Workspace or Microsoft 365, do we already have TLS?
Does TLS mean our donor emails are “secure”?
Why do some organizations say “we require TLS”?
What is STARTTLS?
Can TLS affect deliverability?
Do website contact forms use TLS?
What should we do next after TLS?
Want NuStart to handle this for you?
If you’d rather not wrestle with DNS records, alignment, and testing, NuStart can audit your current setup and implement a clean, reliable Email Trust configuration end-to-end. Request an Email Trust Audit today to get started.
Up next
Next: Post 6 — MTA-STS for Beginners: Protecting inbound email with secure delivery rules
