Suped

What is the difference between ESMTPS and ESMTPSA in email headers?

8 Marketer opinions2 Expert opinions6 Technical articles2 Resources

Summary

ESMTPS and ESMTPSA are extensions to the SMTP protocol related to secure email transmission. ESMTPS indicates that Transport Layer Security (TLS) was used to encrypt the email. ESMTPSA signifies that both TLS encryption and SMTP Authentication were used. Authentication generally implies a higher level of trust, ensuring that the sender has authenticated with the mail server. STARTTLS is now the preferred method for securing SMTP connections, where a plain text connection is upgraded to a secure TLS connection. Older methods such as SMTPS are deprecated. RFCs and other documentation outline the implementation of these security measures and the role of authentication in verifying users. In practice, internal handoffs often use ESMTPSA, while MTA to MX communication relies on ESMTPS.

Key findings

  • ESMTPS vs ESMTPSA: ESMTPS uses TLS for encryption; ESMTPSA uses TLS and SMTP Authentication.
  • Authentication Adds Trust: ESMTPSA is considered more secure due to the added authentication layer.
  • STARTTLS is Preferred: STARTTLS is the current standard for securing SMTP connections, replacing older methods like SMTPS.
  • ESMTP Framework: ESMTP provides the base framework for implementing these extensions.
  • Internal Handoffs: Internal mail system handoffs use ESMTPSA; external communication often uses ESMTPS.

Key considerations

  • Implement TLS/SSL: Always implement TLS/SSL encryption to protect email content during transmission.
  • Use STARTTLS: Prefer STARTTLS over older methods for securing SMTP connections.
  • Enforce Authentication: Enforce SMTP Authentication to prevent unauthorized email sending.
  • Support STARTTLS: Mail servers should support and announce STARTTLS for opportunistic encryption upgrades.
  • Different Security Levels: Recognize that different security levels may be appropriate for internal versus external communication.

What email marketers say
8Marketer opinions

ESMTPS and ESMTPSA are extensions to the SMTP protocol that enhance email security. ESMTPS signifies that Transport Layer Security (TLS) was used to encrypt the email transmission. ESMTPSA, in addition to TLS encryption, indicates that authentication was also used, implying a more secure connection as the sender authenticated with the mail server. While SMTPS (SMTP Secure) was an older, now deprecated method, STARTTLS is currently preferred, allowing for a plain text connection to be upgraded to a secure one using TLS. Implementing TLS/SSL encryption is crucial for securing SMTP to protect email content during transmission. The use of authentication ensures that only authorized users can send emails through the server.

Key opinions

  • ESMTPS vs ESMTPSA: ESMTPS uses TLS for encryption, while ESMTPSA uses both TLS encryption and authentication.
  • Trust Level: ESMTPSA is generally considered more secure due to the added layer of authentication.
  • SMTPS Deprecation: SMTPS is deprecated, with STARTTLS being the preferred method for securing SMTP connections.
  • STARTTLS Functionality: STARTTLS enables a plain text connection to be upgraded to a secure, encrypted connection.
  • Authentication Benefit: Authentication restricts email sending to authenticated users only.

Key considerations

  • Security Importance: Implementing TLS/SSL encryption and authentication are crucial for protecting email content during transmission and preventing unauthorized use.
  • Protocol Choice: Opt for STARTTLS over the deprecated SMTPS for securing SMTP connections.
  • Trust Implications: Recognize that ESMTPSA offers a higher level of trust due to the authentication process.
  • Deprecation Impact: SMTPS usage is outdated and should be avoided as newer standards exist
Marketer view

Email marketer from MXToolbox explains that STARTTLS enables encryption for SMTP sessions. The protocol is initiated in plaintext, then upgraded to a secure, encrypted connection. It explains that STARTTLS is preferred over legacy SSL/TLS connections.

October 2024 - MXToolbox
Marketer view

Marketer from Email Geeks explains that in theory, ESMTPSA is more trusted because someone had to authenticate to the MTA to pass the message in, assuming the MTA isn't lying.

December 2023 - Email Geeks
Marketer view

Email marketer from Reddit user explains that securing SMTP involves using TLS/SSL encryption. While they don't explicitly mention ESMTPS/ESMTPSA, their advice highlights the importance of secure email protocols, providing valuable context.

June 2022 - Reddit
Marketer view

Email marketer from Stack Overflow explains that SMTPS (SMTP Secure) was a deprecated method of securing SMTP connections directly over SSL on port 465. STARTTLS is the current preferred method, operating on port 587 with the STARTTLS command upgrading the connection to TLS. It indirectly refers to what makes ESMTPS secure.

November 2022 - Stack Overflow
Marketer view

Marketer from Email Geeks explains that ESMTPS means TLS was used and ESMTPSA means TLS and AUTH were used.

September 2021 - Email Geeks
Marketer view

Email marketer from AuthSMTP explains that protocols like SMTPS (Secure SMTP) enhance the security of email transmission by encrypting the content of emails to protect sensitive information from unauthorized access. It provides context to the security aspect relevant to ESMTPS and ESMTPSA.

December 2024 - AuthSMTP
Marketer view

Email marketer from StackExchange explains that the advantage of authentication is that only authenticated user can use the server to send emails.

April 2024 - StackExchange
Marketer view

Email marketer from MailEnable Forum explains that STARTTLS command is used after the initial SMTP greeting, upgrading an insecure connection to a secure one using TLS. This contributes to understanding how ESMTPS secures connections.

March 2022 - MailEnable Forum

What the experts say
2Expert opinions

In email communication, internal handoffs within a mail system often use ESMTPSA, indicating both TLS encryption and authentication. The transfer from the Mail Transfer Agent (MTA) to the receiving Mail Exchanger (MX) typically uses ESMTPS, employing TLS encryption alone. Modern email security relies on opportunistic TLS via STARTTLS, where the mail server announces TLS support for secure communication.

Key opinions

  • Internal vs. External Handoff: Internal mail system handoffs use ESMTPSA (TLS + Authentication), while MTA to MX handoffs use ESMTPS (TLS only).
  • Modern TLS Implementation: STARTTLS is the current standard, enabling opportunistic TLS encryption.

Key considerations

  • Security Levels: Different levels of security (authentication vs. no authentication) are used at different stages of email delivery.
  • STARTTLS Adoption: Ensure mail servers support and announce STARTTLS for secure email communication.
Expert view

Expert from Word to the Wise explains TLS (Transport Layer Security). The modern standard is opportunistic TLS using STARTTLS, where the mailserver announces that it supports TLS encryption.

April 2022 - Word to the Wise
Expert view

Expert from Email Geeks confirms that internal handoff is ESMTPSA and the one from the MTA to the MX is ESMTPS.

July 2023 - Email Geeks

What the documentation says
6Technical articles

The RFC documentation outlines that Extended SMTP (ESMTP) provides the framework for extensions like TLS and authentication. RFC documents explain the implementation of TLS to secure SMTP connections and the addition of authentication mechanisms where clients log in to mail servers. STARTTLS, described in Microsoft documentation, allows upgrading plain text SMTP connections to encrypted ones. These RFC documents collectively provide the underlying specifications for achieving secure email transport and authentication relevant to understanding ESMTPS and ESMTPSA.

Key findings

  • ESMTP Framework: ESMTP provides the framework for extending SMTP with features like TLS and authentication.
  • TLS Implementation: RFC documentation specifies the use of TLS to secure SMTP connections.
  • Authentication Mechanisms: RFC defines mechanisms for client authentication to mail servers.
  • STARTTLS Upgrade: STARTTLS enables upgrading plain text connections to encrypted connections.
  • Authentication Requirement: SMTP Authentication mandates users to log in to send emails.

Key considerations

  • Secure Transmissions: Ensure SMTP connections are secured using TLS as outlined in RFC documentation.
  • Authentication Compliance: Implement SMTP Authentication to verify users before allowing them to send emails.
  • STARTTLS Support: Support STARTTLS to allow opportunistic encryption upgrades from plain text connections.
Technical article

Documentation from Microsoft explains that STARTTLS (opportunistic TLS) allows an SMTP client and server to upgrade a plain text connection to an encrypted (TLS or SSL) connection. This relates to the TLS component within ESMTPS.

January 2024 - Microsoft Docs
Technical article

Documentation from IETF explains about various RFCs regarding email transport security, which directly relates to the use of TLS with SMTP for secure communication.

September 2024 - IETF
Technical article

Documentation from RFC Editor explains that Extended SMTP (ESMTP) extends the Simple Mail Transfer Protocol (SMTP) by defining a framework in which new extensions to the protocol can be easily defined. It does not define ESMTPS or ESMTPSA directly but lays the groundwork for understanding the extensions to SMTP that make TLS and AUTH possible.

May 2023 - RFC Editor
Technical article

Documentation from RFC Editor defines an extension to the SMTP service whereby a client may authenticate itself to the server, relating to the 'A' in ESMTPSA. It doesn't directly define the term ESMTPSA.

November 2024 - RFC Editor
Technical article

Documentation from RFC Editor explains the use of Transport Layer Security (TLS) with SMTP. This document doesn't explicitly use the term ESMTPS but defines how a secure SMTP connection is established. This relates to ESMTPS as it is the TLS part

November 2023 - RFC Editor
Technical article

Documentation from cPanel explains that SMTP Authentication requires users to log in to the mail server to send email, which is relevant to understanding ESMTPSA and the AUTH component.

January 2023 - cPanel Documentation

Related resources
2Resources

e-Mail in 2019 - encryption between the SMTP servers - ESMTPS ...
e-Mail in 2019 - encryption between the SMTP servers - ESMTPS ...

A rather large, profitable, popular, Social Media business has been touting that, one of the major advantages of their (popular) “Smart-Phone” App «which App ?? 😉 » over “traditional” e-Mail is that their “App” offers end-to-end encryption … Looking at my current e-Mail headers, I notice that: Most transfers between the SMTP servers are “with ESMTPS” and occasionally (for example a “push” e-Mail from my DSL-Router to my ISP) “with ESMTPSA” … My e-Mail transfers to and from my ISP use TLS...

openSUSE Forums
How to meet Gmail's new (2016) email tls requirement - red lock ...
How to meet Gmail's new (2016) email tls requirement - red lock ...

As many of you know in early 2016, Gmail, in an effort to increase email security began displaying a bright red lock on emails that aren't encrypted. While there are many articles about it, practically none of them (including Google's!!) actually address HOW TO MEET THE REQUIREMENT to get rid of that unsightly red lock on unencrypted email transit - specifically on how to properly encrypt emails in transit from private linux email servers. You'd think if they actually cared about email security...

Let's Encrypt Community Support

Related questions