TLS Encryption for Email Sends in SFMC

Transport Layer Security (TLS) is a crucial aspect of email security, ensuring that your communications are encrypted and secure during transmission. In Salesforce Marketing Cloud (SFMC), TLS is enabled for all outbound emails by default. Here’s a comprehensive look at how TLS works in SFMC and what you need to know to manage it effectively.

Default TLS Settings

By default, SFMC uses an opportunistic TLS setting for all outbound emails. This means that SFMC will attempt to establish a TLS connection when sending emails. If a TLS connection cannot be established, the email will be sent in plain text. This default setting ensures that emails are encrypted whenever possible without disrupting the delivery process.

For more detailed information, you can refer to the official Salesforce article here: https://help.salesforce.com/s/articleView?id=000387912&type=1

Reviewing Email Headers for TLS Information

To verify if an email was sent using TLS, you can review the email headers. Look for lines in the header that begin with version=TLS1_2 or version=TLSv1.2. These lines indicate that the email was transmitted using TLS encryption. For guidance on how to find and interpret email headers, check out this Salesforce article: https://help.salesforce.com/s/articleView?id=000385337&type=1

Enforcing TLS 

If you require all emails to be sent with enforced TLS, you will need to contact Salesforce Support. They will create an internal ticket with the engineering team to enable this setting. Typically, these requests take about 3 to 7 working days to complete, but this timeframe can vary depending on the volume of requests.

Common Questions 

1. Can we enforce TLS for specific emails only? 

No, the TLS setting is configured at the account level and cannot be specified for individual emails. Once enforced, all emails sent from that business unit will follow the enforced TLS setting. 

2. Can we revert back to opportunistic TLS if we face deliverability issues? 

Yes, it is possible to revert back to the opportunistic TLS setting. The process to revert typically takes the same amount of time as enforcing TLS, around 3 to 7 working days, but this is not a guaranteed timeframe

Conclusion 

Implementing TLS encryption in SFMC is a straightforward process that significantly enhances the security of your email communications. Whether you stick with the default opportunistic setting or choose to enforce TLS, understanding how to manage these settings and review email headers for encryption information is essential for maintaining secure email practices. 

For any further assistance or to make changes to your TLS settings, don’t hesitate to reach out to Salesforce Support.