How to improve email security in Gmail

Over the last few years, we’ve seen the use of Transport Layer Security (TLS) on the web increase to more than 96% of all traffic seen by a Chrome browser on Chrome OS. That’s an increase of over 35% in just four years, as reported in the Google Transparency Report.

Gmail already supports TLS, so that if the Simple Mail Transfer Protocol (SMTP) mail connection can be secured through TLS, it will be. However, in order to encourage more organisations to increase their email security posture and to further the goal of enabling TLS by default, Google has made the following changes:

• TLS for mail connections will now be enabled by default
• Admins are now able to test their SMTP outbound routes’ TLS configuration in the Admin console before deployment. They no longer need to wait for messages to bounce.

While admins have always had the ability to require TLS encryption for mail routes, it was previously off by default. Note that existing mail routes will not be impacted by these changes.

Google recommends that admins enable existing mail security features including SPF, DKIM, and DMARC to help protect end-users. Google also recommends that admins turn on MTA Strict Transport Security (MTA-STS) which improves Gmail security by requiring authentication checks and encryption for email sent to their domains. Enabling TLS by default on new SMTP mail routes enhances the security posture of customers while enabling admins to test connections before enforcing TLS on existing routes makes it easier for them to deploy best-practice security policies.

With TLS enabled by default for new mail routes, all certificate validation requirements are also enabled by default. This ensures that recipient hosts have a certificate issued for the correct host that has been signed by a trusted Certificate Authority (CA). 

Admins will still have the ability to customise their TLS security settings on newly created mail routes. For example, if mail is forwarded to third-party or on-premise mail servers using internal CA certificates, admins may need to disable CA certificate validation. Disabling CA certificate validation or even disabling TLS entirely is not recommended. Google encourages admins to test their SMTP TLS configuration in the Admin console in order to validate the TLS connection to external mail servers before disabling any recommended validations. See more details about how to test TLS connections in the Admin console.

In the past, Google has highlighted instances where Chrome would no longer trust root CA certificates used to intercept traffic on the public internet and where Chrome distrusts specific CAs. If these scenarios occur in the future, these certificates will also be distrusted by Gmail. When this happens, mail sent using routes that require TLS with CA-signed certificate enforcement may bounce if the CA is no longer trusted. Although the list of root certificates trusted by Gmail can be retrieved from the Google Trust Services repository, Google encourages admins to use the Test TLS Connections feature in the Admin console to confirm whether certificates have been distrusted.

Admins can now use the new Test TLS Connection feature to verify whether a mail route can successfully establish a TLS connection with full validation to any destination such as an on-premise mail server or a third-party mail relay before enforcing TLS for that destination.

TLS will be on by default for all new mail routes. Google recommends that admins review all of their existing routes and enable all recommended TLS security options for these routes as well. Admins who want to require a secure TLS connection for emails can now verify that the connection to the recipient’s mail server is valid simply by clicking on the “Test TLS Connection” button in the Admin console; they no longer need to wait for emails to bounce.

Learn more about requiring mail to be transmitted via a secure (TLS) connection and adding mail routes in the Help Center.
Learn more about requiring mail to be transmitted via a secure (TLS) connection and adding mail routes in the Help Center.