Best Practices New ways to battle eavesdropping By Desmond Liao | 2 minute read Unless you use end-to-end encryption such as PGP, the contents of your email message may be revealed to or even silently modified by sophisticated attackers with access to Internet backbone traffic. To prevent eavesdropping and modification, Internet engineers developed the Transport Layer Security (TLS) protocol, which email servers use to encrypt and protect email while it transits the Internet from server to server. Edward Snowden’s revelations in 2013 about government snooping prompted large email providers such as Microsoft® Outlook.com and Yahoo! to implement TLS so that servers sending email to the servers can encrypt messages during transmission. After a lengthy period of implementation and testing, about 67% of mail servers in a broad survey now support TLS. To ensure the privacy of our customers’ email messages, MailChannels Cloud now automatically encrypts connections to receiving mail servers that support the TLS protocol. In combination with our existing client-side TLS support, this new development means that for recipient domains which support TLS encryption, customers can be 100% assured that their email traffic cannot be snooped while in transit. What should I do? MailChannels Cloud customers are automatically protected by our support of TLS, and don’t need to take any steps to enable this feature. MailChannels Dedicated customers should talk to a support engineer about how to activate this new feature on their server. The future is DANE TLS is an effective encryption protocol when used correctly; however, it does have some weaknesses. A sufficiently advanced attacker who can intercept TCP streams between mail servers can remove the STARTTLS command from the SMTP stream and prevent the client from using TLS encryption with the server, even though the server supports TLS. To prevent this type of attack, a new standard called SMTP security via opportunistic DANE TLS lets domain owners tell email senders that their mail server uses TLS – and optionally, to reject connections where TLS is not advertised as it should be. DANE adoption has been slow because DANE requires domain owners to first implement Domain Name System Security Extensions (DNSSEC).