I've noticed something I find interesting and want to share. https://internet.nl is a website that scans for DNS, web, and email security. On the email side, it has a scan for "TLS Version." Every single email service I've scanned for has out of date TLS. It says that the sending and receiving servers have to have matching TLS versions for encryption to work. That makes sense. What I don't understand is why no mail servers have TLS 1.2 enabled. Here are a bunch of examples:
Even the services that are better about email security come up like this:
In fact, I haven't found a single domain that says it supports TLS 1.2 or TLS 1.3. Does anyone know why mail servers are limited to outdated TLS? I can understand if they keep old versions for compatibility reasons. I don't understand why they don't support new versions. Also, does anyone know of a domain supporting TLS 1.2 or higher?
Mail server (MX) | Affected TLS versions | Status |
---|---|---|
gmail-smtp-in.l.google.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
alt4.gmail-smtp-in.l.google.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
alt3.gmail-smtp-in.l.google.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
alt2.gmail-smtp-in.l.google.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
alt1.gmail-smtp-in.l.google.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
Mail server (MX) | Affected TLS versions | Status |
---|---|---|
outlook-com.olc.protection.outlook.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
Even the services that are better about email security come up like this:
Mail server (MX) | Affected TLS versions | Status |
---|---|---|
mx2.paypalcorp.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
mx1.paypalcorp.com. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
Mail server (MX) | Affected TLS versions | Status |
---|---|---|
mailsec.protonmail.ch. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
mail.protonmail.ch. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
Mail server (MX) | Affected TLS versions | Status |
---|---|---|
mail.tutanota.de. | TLS 1.1 | phase out |
... | TLS 1.0 | phase out |
In fact, I haven't found a single domain that says it supports TLS 1.2 or TLS 1.3. Does anyone know why mail servers are limited to outdated TLS? I can understand if they keep old versions for compatibility reasons. I don't understand why they don't support new versions. Also, does anyone know of a domain supporting TLS 1.2 or higher?