By default, the SMTP protocol lacks encryption and can be used to send emails without any protection in place. This leaves emails over SMTP susceptible to man-in-the-middle attacks and eavesdropping from bad actors while messages are in transit.
In contrast, SMTPS utilizes either TLS or SSL to secure email communications using asymmetric cryptography. The main takeaway is that SMTP is susceptible to attacks, while SMTPS uses TLS for email to provide a secure connection.
Email that is not secured using SMTPS is vulnerable to a series of attacks that can modify the contents of a message or reroute that message to an attacker before being passed on to the intended recipient.
Attackers exploit the unencrypted communications by injecting their own malicious SMTP commands into data as it is transmitted from a server. These types of attacks can be used to send spam from the vulnerable domain, steal sensitive information silently, or to conduct phishing attacks.
SMTP can be secured through the enablement of TLS on your mail server. By enabling TLS, you are encrypting the SMTP protocol on the transport layer by wrapping SMTP inside of a TLS connection. This effectively secures SMTP and transforms it into SMTPS.
Port 587 and 465 are both frequently used for SMTPS traffic. Port 587 is often used to encrypt SMTP messages using STARTTLS, which allows the email client to establish secure connections by requesting that the mail server upgrade the connection through TLS.
Port 465 is used for implicit TLS and can be used to facilitate secure communications for mail services. According to the Internet Engineering Task Force, or IETF, this is preferred over using STARTTLS on port 587.
Lastly, port 2525 is sometimes also used. Some residential ISPs will block port 25 to stop users from running their own mail servers. To combat this, enthusiasts and small home businesses use port 2525.
System administrators can enable SMTPS through the client settings on their SMTP connector. This step will vary depending on which mail server you are running. For example, when configuring the SMTP connector in Outlook, there are options for setting the authentication type where TLS will be an option.
You can check to see if your emails are being sent securely by viewing the headers of the email in question. This can be done in most modern email clients. In Outlook, this can be done by doing the following:
Open the email you wish to check the security of.
Navigate to File tab > Properties. This will open up the email header information which will contain transmission information, including encryption details if they are being applied.
For Gmail users the process is a bit easier. To check if the email is being sent via SMTPS simply open the email in question and click the small arrow next to your name underneath the sender’s address. You should see something like this:
The security tab will provide details about the type of encryption used to secure the email, along with the domain that signed the certificate above it.
SMTPS plays a key role in email security, but it can’t protect against all email-based threats. Emails using SMTPS are protected against:
SMTPS keeps messages in transit secure from prying eyes. But what about spoofing, and phishing, and spam? OH MY!
Let’s take a quick look at a few email standards you can deploy to protect your email and domain:
Sender Policy Framework (SPF): Helps recipients of your messages verify that messages from your domain are in fact coming from you. SPF tells the world which servers you send email from. If a message is sent from your domain that does not originate from these servers, the SPF check fails.
Domain-based Message Authentication Reporting and Conformance (DMARC): Authenticates messages by aligning SPF and DKIM capabilities. Having DMARC fully implemented on your domain is one of the best ways to protect your brand from impersonation.
Brand Indicators for Message Identification (BIMI): Provides domains that already use DMARC for authentication an extra layer of protection by displaying their brand logo in email messages. This helps recipients visually identify when an email is legitimate, and helps companies build additional brand awareness through email campaigns.
Agari Brand Protection uses SMTPS, as well as DMARC, to encrypt email messages and prevent attacks from spoofed domains. TLS and DMARC prevents inboxes from receiving fake emails from companies who have had their email spoofed.
Phishing attacks that use lookalike domains trick unsuspecting recipients into clicking links or sending sensitive information by pretending to be a trusted sender. These attacks can occur directly over a SMTPS connection since they don’t need to abuse a lack of encryption in order to succeed.
By combining SMTPS with Agari Brand Protection, organizations can deploy an email security strategy that stops email-based attacks on all levels. For email protection that goes beyond SMTPS, see how Agari Phishing Defense works in action, or schedule a demo to learn more.