If your business relies on emails to communicate with customers and clients, you should be familiar with terms like SSL, TLS, and STARTTLS.

But what exactly are these terms, and what roles do they play? Dive in to learn about them.

What are SSL and TLS, Exactly?

Two cryptographic protocols are used in email transmission: SSL (Secure Socket Layer) and TLS (Transport Layer Security), which is its descendant. Both use a set of public and private keys to transcribe messages into meaningless strings of characters.

When Netscape introduced SSL in 1995, it was quickly incorporated into all of the popular email clients at the time, including their own. A new standard with a more reliable security profile was introduced four years later, and it is the TLS.

However, along with its younger sibling, SSL is still widely used today despite being deprecated. SSL and TLS can be used interchangeably. The term 'SSL/TLS' is also commonly used.

Given the prevalence of SSL and TLS, it's common to see clients or servers presenting users with the most recent SSL encryption. They most likely use TLS to power their transmissions.

Here is a list of all SSL/TLS versions that have been released so far:

ProtocolYear PublishedPresent Status
SSL 2.01995Deprecated since 2011
SSL 3.01996Deprecated since 2015
TLS 1.01999To be Deprecated in 2020
TLS 1.12006To be Deprecated in 2020
TLS 1.22008Actively supported
TLS 1.32018Actively supported

What function does STARTTLS serve?

STARTTLS is an email protocol command. It informs an email server that a client wants to switch from an existing insecure connection to a secure one using SSL or TLS. Typical clients include Gmail, Outlook, and others.

How do TLS/SSL and STARTTLS Work?

SSL/TLS enables the display of a secure message on a website and the authentication of the domain owner. Additionally, any insecure connection is made secure using STARTTLS. There are two techniques for doing this:

i. Using Opportunistic SSL/TLS (aka Explicit SSL/TLS)

Here, a client will change an encryption connection by sending the STARTTLS command. If everything goes according to plan and the server is functional, a secure TLS or SSL connection will be created. If anything goes wrong during the process, it issues a plain-text transmission.

ii. Using Forced SSL/TLS (aka Implicit SSL/TLS)

In this case, a client will attempt to create a secure connection without contacting a server to inquire about compatibility. A handshake and a secure connection will be established if it is successful. The transmission will be canceled if the server is unreliable or the connection times out.

What Ports do Explicit and Implicit SSL/TLS Use?

For a long time, port 25 was the standard for sending emails to MTAs (email servers) and relaying them among MTAs. Since then, more ports have been made public, with 25 primarily used for SMTP relay functions. The most widely used port for SMTP submission has been 587.

Port 587 should be your choice if you want to use an explicit SSL/TLS connection. Port 2525 is also frequently used as an alternative. For a brief period, port 465 is best for email submission. This choice was swiftly reversed in favor of port 587, though many clients and servers are already using it.

Additionally, different ports are used for Implicit and Explicit SSL/TLS by IMAP and POP (primarily POP3). IMAP retrieves emails on port 143 when STARTTLS is used and on port 993 when implicit SSL/TLS is used. Specifically, POP uses ports 110 and 995.

How to check if a Server Supports STARTTLS

To perform a mail ssl test, you can use tools like OpenSSL to check if a server supports STARTTLS. Here is a short example:

You'll see a lot of debugging information in the terminal response and then at the end a message like this:


With the development of technology, a new iteration of TLS or even a completely new protocol might be introduced. Some ports might become obsolete, while others might become famous.