STARTTLS
STARTTLS is an SMTP extension, defined in RFC 3207, that upgrades a connection from plain text to encrypted TLS in the middle of the session. The connection starts unencrypted; if the receiver advertises STARTTLS in its EHLO reply, the sender issues the command and both sides negotiate TLS before any message is sent. It is the dominant way server-to-server email is encrypted in transit.
- Upgrades an existing plain-text SMTP connection to encrypted TLS mid-session
-
Advertised as an EHLO capability; the client then issues
STARTTLS - Usually opportunistic, so it quietly falls back to plain text if TLS is unavailable
- Vulnerable to downgrade (stripping) attacks unless backed by MTA-STS or DANE
STARTTLS
220 Ready to start TLS
25 (relay) · 587 (submission)
How STARTTLS works
STARTTLS is not an encryption protocol; it is the SMTP command that switches on encryption. The connection opens in plain text on the usual ports. When the sender greets the receiver with EHLO and sees 250-STARTTLS in the reply, it knows the receiver can encrypt. The sender then issues the bare STARTTLS command, the server answers 220 Ready to start TLS, and both sides run a TLS handshake to set up an encrypted channel.
After the handshake the SMTP session resets to its initial state, so the client reissues EHLO over the now-encrypted connection and continues with MAIL FROM and the message. If the server cannot start TLS right then it replies 454, and a syntactically wrong command gets 501. This is why STARTTLS is called opportunistic encryption: it protects the session when both sides can, but the conversation begins in the clear.
A STARTTLS upgrade, line by line
The whole upgrade happens in three commands before the TLS handshake itself begins:
C: EHLO mail.example.com
S: 250-mx.receiver.net at your service
S: 250 STARTTLS
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
... TLS handshake negotiates the cipher and keys ...
C: EHLO mail.example.com (reissued over the encrypted channel)
The downgrade-attack problem
Because the session opens in plain text, the STARTTLS capability is announced before anything is encrypted. A network attacker sitting in the middle can simply strip the 250-STARTTLS line from the EHLO reply, and the sender, seeing no TLS on offer, falls back to delivering the message unencrypted. Neither side gets an error. This stripping (or downgrade) attack is the core weakness of opportunistic STARTTLS.
Two standards close the gap by letting a domain require TLS. MTA-STS (RFC 8461) publishes a policy over HTTPS that tells senders to refuse plain-text delivery to your servers. DANE (RFC 7672) does the same through a DNSSEC-signed TLSA record. Either one turns opportunistic encryption into enforced encryption.
The STARTTLS upgrade handshake
EHLO250-STARTTLS in its capability listSTARTTLS and the server replies 220 Ready to start TLSEHLO over TLS, then delivers the messageSTARTTLS vs implicit TLS
| STARTTLS (explicit) | Implicit TLS | |
|---|---|---|
| How it starts | Plain text, then upgrades | Encrypted from the first byte |
| Typical ports | 25, 587 |
465 (submission) |
| Defined in | RFC 3207 | RFC 8314 |
| Strippable? | Yes, unless enforced | No, no plain-text phase |
| Main use | Server-to-server relay | Client mail submission |
By the numbers
STARTTLS command.501 signals a malformed command.Common mistakes
Frequently asked questions
454 (TLS temporarily unavailable) or the handshake fails, an opportunistic sender normally falls back to delivering in plain text. A sender bound by an MTA-STS or DANE policy instead defers or rejects the delivery rather than sending unencrypted.