Loading

TLS Security for Salesforce Emails: Inbound, Outbound, and Email-to-Case Configuration

Udgivelsesdato: Jun 28, 2026
Beskrivelse

Salesforce supports Transport Layer Security (TLS) on its email servers for both inbound and outbound email communications. TLS is a cryptographic protocol that encrypts the network session during email transfer, ensuring data integrity and security.
Use this article if you need to:

  • Understand how Salesforce handles TLS for different email flow types (outbound, inbound, or relayed emails)
  • Configure TLS settings for emails sent from Salesforce
  • Troubleshoot email delivery issues related to TLS or encryption
  • Understand TLS behavior for Salesforce features such as Email-to-Case, Email-to-Salesforce, and Email Relaying

Note: TLS encrypts the network session only. It does not encrypt the content of the email body or any file attachments.

Løsning

The following sections explain how Salesforce handles TLS for each email flow type. All SMTP connections between mail servers start in plain text. Either the sending server or the receiving server can request the connection to be upgraded to TLS.

Outbound Emails from Salesforce

Outbound emails are emails sent from Salesforce to an external email address — for example, a notification sent to user@acme.com, user@gmail.com, or user@bigcompany.com.
For outbound emails, Salesforce requests TLS from the receiving mail server. Whether the connection is upgraded to TLS depends on whether the receiving server supports and accepts the request. Salesforce administrators can configure TLS settings for outbound emails through Setup | Deliverability.
For more information, see Guidelines for Configuring Deliverability Settings for Emails Sent from Salesforce.
Salesforce features that send outbound emails include (this is a representative sample):

  • Email Relaying
  • Workflow notifications
  • Event invitations
  • Emails to contacts
  • Task notifications
  • Scheduled dashboards and reports

Inbound Emails to Salesforce

Inbound emails are emails sent to Salesforce from an external source — for example, messages sent to an Email-to-Case address such as emailtosalesforce@6e567ph4mmtx3o7ji1sztcw.in.salesforce.com.
For inbound email connections, the sending mail server must request the connection to be upgraded to TLS before Salesforce will switch to TLS. If the sending server does not request TLS, the connection remains in plain text.
You can review your mail server configuration settings with your IT team to determine whether rejecting plain-text emails before forwarding them to Salesforce is viable for your environment.
Salesforce features that receive inbound emails include:

  • Email-to-Salesforce
  • Email-to-Apex
  • On-Demand Email-to-Case
  • Email Workflow Approvals

Email Relaying

Email Relaying allows you to control how Salesforce manages TLS for outbound emails routed through your own mail server. Email Relaying can be configured to force all connections to use TLS, or to drop the connection entirely if TLS is not available.

Important: What TLS Does Not Encrypt

TLS encrypts the network session during the email transfer process only. TLS does not encrypt the content of the email body or any file attachments appended to the message. If end-to-end message encryption is required, additional email security tools outside of Salesforce are needed.
For additional reference, see Microsoft's White Paper: Domain Security in Exchange 2007.

Yderligere ressourcer

Set Up TLS

Vidensartikelnummer

000384815

 
Indlæser
Salesforce Help | Article