Salesforce supports Transport Layer Security (TLS) on its email servers for both inbound and outbound email communications. TLS is a cryptographic protocol that encrypts the network session during email transfer, ensuring data integrity and security.
Use this article if you need to:
Note: TLS encrypts the network session only. It does not encrypt the content of the email body or any file attachments.
The following sections explain how Salesforce handles TLS for each email flow type. All SMTP connections between mail servers start in plain text. Either the sending server or the receiving server can request the connection to be upgraded to TLS.
Outbound emails are emails sent from Salesforce to an external email address — for example, a notification sent to user@acme.com, user@gmail.com, or user@bigcompany.com.
For outbound emails, Salesforce requests TLS from the receiving mail server. Whether the connection is upgraded to TLS depends on whether the receiving server supports and accepts the request. Salesforce administrators can configure TLS settings for outbound emails through Setup | Deliverability.
For more information, see Guidelines for Configuring Deliverability Settings for Emails Sent from Salesforce.
Salesforce features that send outbound emails include (this is a representative sample):
Inbound emails are emails sent to Salesforce from an external source — for example, messages sent to an Email-to-Case address such as emailtosalesforce@6e567ph4mmtx3o7ji1sztcw.in.salesforce.com.
For inbound email connections, the sending mail server must request the connection to be upgraded to TLS before Salesforce will switch to TLS. If the sending server does not request TLS, the connection remains in plain text.
You can review your mail server configuration settings with your IT team to determine whether rejecting plain-text emails before forwarding them to Salesforce is viable for your environment.
Salesforce features that receive inbound emails include:
Email Relaying allows you to control how Salesforce manages TLS for outbound emails routed through your own mail server. Email Relaying can be configured to force all connections to use TLS, or to drop the connection entirely if TLS is not available.
TLS encrypts the network session during the email transfer process only. TLS does not encrypt the content of the email body or any file attachments appended to the message. If end-to-end message encryption is required, additional email security tools outside of Salesforce are needed.
For additional reference, see Microsoft's White Paper: Domain Security in Exchange 2007.
000384815

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.