The Current State of SMTP STARTTLS Deployment
Protect the Graph
A lot of sensitive data is sent over email, so we encrypt emails in transit via STARTTLS when available. STARTTLS has been around for 15 years, but we'd heard that it wasn't widely deployed. To test that perception, we decided to see how many of the notification emails we send are successfully encrypted.
We found that 76% of unique MX hostnames that receive our emails support STARTTLS. As a result, 58% of notification emails are successfully encrypted. Additionally, certificate validation passes for about half of the encrypted email, and the other half is opportunistically encrypted. 74% of hosts that support STARTTLS also provide Perfect Forward Secrecy.
It's clear to us that STARTTLS has achieved critical mass and there is immediate value in deploying it. We encourage anyone who has not already deployed STARTTLS to at least deploy it for opportunistic encryption. As more systems support email encryption, the value increases for everyone.
Methodology
Facebook sends several billion emails to several million domains every day. This is mostly comprised of notification emails about various activities on Facebook as well as account-related emails such as registration confirmations and password resets. We used a single day's worth of our notification email logs from our production system for this report, since our goal here is to show a snapshot of current deployments rather than configuration changes over time. These logs contain the kind of data you would expect to find in any email server logs, such as the sender and recipient, where the email came from, and where we are sending it. For the purposes of this report we only concern ourselves with the STARTTLS results, the recipient's domain, the MX hostname we connected to, and the receiving email server's IP address.
The majority of email addresses we send to are assumed to be for personal use. Given the large number of addresses and domains we send to, we feel that our data provides a good representative sample of personal and general purpose mailbox providers. Government and corporate email systems are likely underrepresented in this report.
Our system attempts to negotiate TLS encryption with every SMTP server it connects to which advertises the STARTTLS capability. If the negotiation is successful, we encrypt the email and send it on. If we can't successfully negotiate, then we send the email unencrypted. We log the results in either case, including the negotiated cipher suite and attributes of the certificate presented by the server when we are successful. We then load the logs into Hadoop for further analysis. It's also worth noting that the performance impact of enabling TLS for outbound connections was negligible.
Data and Observations
The following graphs show the log data aggregated in various ways. For graphs that show STARTTLS results, we show the relative percentages of 'Strict', 'Opportunistic', 'Failure', and 'None'. These categories are defined as follows:
Strict: A TLS cipher suite was successfully negotiated and the presented certificate passed strict validation. Strict validation means that the certificate was not expired, was signed by a trusted certificate authority, and matched the hostname we connected to. We allow wildcarded certificates.
Opportunistic: A TLS cipher suite was successfully negotiated but the presented certificate did not pass strict validation for one or more reasons.
Failure: The SMTP server advertised STARTTLS, but we could not successfully negotiate a cipher suite. This could be due to a lack of acceptable cipher suites or other configuration issues. As a result, the email was sent unencrypted.
None: The SMTP server did not advertise STARTTLS. The email was sent unencrypted.
Figure 1 - Overall STARTTLS Results
Figure 1 shows the overall results of STARTTLS behavior. From the 'All Email' bar on the left we can see that nearly 60% of all emails are sent via an encrypted connection, but only about 30% pass strict validation. 60% is an encouragingly high percentage, but this number is potentially skewed since the bulk of email volume is sent to a small number of large mailbox providers. We need to aggregate the data in a few different ways in order to compensate for this and get a clearer picture of STARTTLS behavior across all email systems. The other three bars in Figure 1 are based on unique counts of the following identifiers:
Domain: The domain portion of the recipient email address.
MX Hostname: The hostname returned by querying the MX record of the domain.
IP Address: The IP address of the receiving SMTP server.
The relationships between these three identifiers vary as inbound email infrastructure is deployed and configured as needed, and operators use different techniques to manage their infrastructure at different scales. For example, 25.76% of unique recipient address domains pass strict validation, while 7.97% of unique MX hostnames pass strict validation and only 6.63% of unique server IP addresses pass strict validation. This is because a single MX hostname can handle traffic for many domains and can have multiple unique IP addresses behind it, a single domain can have multiple MX hostnames, etc.
The 'Domain', 'MX Hostname', and 'IP Address' bars show a higher percentage of encrypted traffic but a lower percentage of strict validations than the 'All Email' bar. These results show that STARTTLS support is widely deployed, but that there are also widespread issues with certificates. Also of note, in all cases the number of failures is very small.
Figure 2 - Overall reasons for strict validation failure
Figure 2 shows the top reasons why strict validation fails as a percentage of opportunistically encrypted traffic. Some reasons or combinations of reasons are not listed, such as 'Expired and Mismatched'. Those have been omitted because they account for less then 1% for each identifier. The failure reasons are as follows:
Self Signed: The presented certificate was signed by the domain itself instead of a certificate authority.
Untrusted CA: The presented certificate was signed by a certificate authority that we consider untrustworthy.
Mismatched: The presented certificate does not match the hostname exactly or via wildcard.
Expired: The presented certificate has passed its expiration date.
Mismatched certificates are the single largest reason why strict certificate validation fails across all identifiers. 99.35% of all opportunistically encrypted emails fail validation simply because the certificate does not match the hostname; the certificates are otherwise acceptable. The next three largest categories include mismatched certificates as part of the reason, but have additional issues.
Figure 3 - Successfully negotiated cipher suites
The strength of supported cipher suites is a common concern, as weak or vulnerable ciphers can be easily defeated. Figure 3 shows the successfully negotiated cipher suites broken down by identifier. The majority of encrypted email is sent with the ECDHE-RSA-RC4-SHA or DHE-RSA-AES256-SHA cipher suite. This is likely due to those being the preferred cipher suites of the major providers. DHE-RSA-AES128-SHA, however, is the preferred cipher suite for the largest percentage of deployments. AES128-SHA is the next most prevalent, which is concerning because it does not provide Perfect Forward Secrecy.
Figure 4 - Perfect Forward Secrecy support in negotiated cipher suites
Although the second most prevalent cipher suite does not provide Perfect Forward Secrecy, the majority of preferred cipher suites do—as shown in Figure 4.
Conclusion
STARTTLS encryption is widely supported and has achieved critical mass despite some issues with certificate management. A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted. Also, the majority of deployments provide Perfect Forward Secrecy. We see two high priority areas for improvement. First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS.
Michael Adkins is a Mail Integrity Engineer at Facebook.
Appendix 1: Open Source MTAs
Figure 5 - STARTTLS results for open source MTAs
These results are for hosts that identify as either Sendmail, Postfix, Exim, or Qmail in their SMTP banner and are counts of unique MX hostnames. The majority support opportunistic TLS, but the number that pass strict certificate validation is very small.
Figure 6 - Strict validation failure reasons for open source MTAs
Again, mismatched certificates is the most common reason for strict validation failure, but Postfix and Qmail have larger percentages of hosts with multiple failure reasons.
Appendix 2: Major TLDs
Figure 7 - STARTTLS results by major TLD
TLD results are based on the domain portion of the recipient address and are counts of unique MX hostnames. The results are fairly consistent, with .edu representing a larger percentage of hosts that pass strict certificate validation but a lower overall percentage of hosts that successfully encrypt traffic.
Figure 8 - Strict validation failure reasons for major TLDs
Mismatched certificates are again the most common reason for strict validation failure.
Appendix 3: European Country Codes
Figure 9 - STARTTLS results for European country codes
European country code results are based on the domain portion of the recipient address and are counts of unique MX hostnames. Figure 9 displays the top 10 European country code TLDs by raw email volume in no particular order. Support for opportunistic encryption is fairly high across the region.
Figure 10 - Strict validation failure reasons for European country codes
Strict validation failure reasons are more varied. Mismatched certificates still figure prominently as a failure reason, but several countries have higher percentages of hosts with multiple issues.
Appendix 4: Asian and Pacific Country Codes
Figure 11 - STARTTLS results for Asian and Pacific country codes
Asian and Pacific country code results are based on the domain portion of the recipient address and are counts of unique MX hostnames. Figure 9 displays the top 10 European country code TLDs by raw email volume in no particular order. Support for opportunistic encryption is lower across the region than in Europe.
Figure 12 - Strict validation failure reasons for Asian and Pacific country codes
Strict validation failure reasons are a little less varied than in Europe. Mismatched certificates is the most common failure reason in five of the countries, while mismatched and self signed certificates is the most common failure reason in the other five.
Anas Anas
1565900054
Anas Anas
1565900054
Anas Anas
رجعلي كتوي
Anas Anas
1565900054
Anas Anas
dhiflijamel7@gmail.com1565900054 رجعولي كتوي
Anas Anas
تبن
MD Sumon Raj
01567888118
Adam Sarhan
A
Md Aman Shaikh
Salman AKBAR Shaikh
Somjit Chumnum
Somjit chumnum
林新佐
need to.set mytcl
K Srikanth Reddy
Hi
Luhit Hasda Luhit Hasda
Luhit hasda
Imran Kan Imran
Mm
Imran Kan Imran
Hi
Jojo Ap
kurniawanjojo280@gmail.com
Happyne Sadock
Happyness Sadock Katabanye
Musa Aman
Hy
Mřř Æöñ Mâłł
mrrmallkpt99@gmail.com
Itz Runtown
Ltzruntown04Create email Account Gmail
Ferdi Güz
6B397E143AFBB2498D74ED30899161A02B3760F396EB61717B0CB360137F1D24510BC2571D11043F9162CB298F3CDEE31C69A0B426BB808D7195D4474D3F1557
Ferdi Güz
1565900054
Eduardo Nevarez
Ehii
Daniel Aziz
Uhuii
Rüzgar Sarsınlar
çilem gürgen@gmail.com
cilemgurgen086@gmail.com
cilemgurgen086@gmail.com
الآصلي سعدون
شاهد موقعي في الوقت الفعلي على "خرائط": https://maps.app.goo.gl/JY7iugzZv9QQ7Sh7A
Josehp Yjosehp
Hii
Julio Ignacio Lionz
Hi
Rafi Qadari
Dear sir tha vibration code Is not coming to me! Please help me . My PUBG account Is hacked now It does not open . wath should i do ?
Rajesh Rajbhar
Rajesh kumar 7905114026 .RR843156@gmail.com
Lisa Danylo
Brennan Loupe
Johnny Thomas Whited
Hello
Johnny Thomas Whited
jhnnwhited@gmail.com
Mhiz Sure Philominay
TOLD
Usman Malang
I'm intraste
I'm going
love you
Japan
Miss you
I'm going
love you
Japan
Miss you
Usman Malang
00923137646494
Usmalang33@gmail .com
Usmalang33@gmail .com
Zara Sultana
246509
John Robertson
hi
Mmt Enez
استثمار أموال
Mmt Enez
Apple store
Ñïtïñ Jøshï
Yah Kab Tak Chal payega Mera Man nikal Aata
Ñïtïñ Jøshï
Hello
Ñïtïñ Jøshï
Real kalap dila do mere ko
Adriana
El envio de cuatro era
Shambhu Kumar
Yah kab tak tihk ho jayega
Zin Mar
U Ba Chit ubachit
Jeffrey Barrozo
Hi
Than Zaww Oo
Hi
Maifala Esekielu
Hey 👋👋 Hello
Suphamas Saeheng
Somkid Caeheng
على احمد محمد
هلا والله
عصام. عبد الله الكحلاني
عصام عبدالله على سعيد الكحلاني رقم الهاتف المحمول ٩٦٧٧٣٥٣٣٥٠٦٣+.اليمن محافظة تعز
Allan Magan
👋👋 Hello
Giang Nguyen
866827
Giang Nguyen
nguyenthingoctuyen7669@gmail.com
Fainos Tyronne Hove
I don't get it
Selassie Jonas
Wish one here's say I am not what I am Selassie Jah rastafari haile Selassie Jonas Tiffany Notimpressedwitya
Kalieprsad Kushwa Kalieprsad
Good
SYAFID PRATAMA
Syafrilirwan85@gmail.com
Frendi Etra Saputra
Up
Md Sarfaraz
Please give me my old Instagram account 😭
الفانا حجي
la5527905@gmail.com
Pintu Thakor
Hi
Faizal Eijal
eijalfaizal260@email.com octafx Trading
Bang Rehan
rehanpratamarehan72@gamil.com
Fahri
Halo fahriarifin798@gmail.com
Safa Zal
سلام، لطفا راهنمایی کنید
Ye Lwin Shwe
swe90098@gmail.com
Xing Benz
@[100064838087320:2048:SEMO War Eagles 9U]
Muhammad Aamir Qureshi
Nice
Muhammad Aamir Qureshi
TLS issue plz solved my problem anyone.
Ruben Marquez
Hello
Ramani K
Hi
María Silva
Hola Ayuda por favor para encriptación de correo electrónico seguros
Hossain Ahammad
Hi
يحيى الجماعين
محمد
Myo Chay
Some email providers send messages to Gmail addresses using TLS but can't receive encrypted messages.
If you reply to these messages, this icon could show up even though you're sending from Gmail.
If you reply to these messages, this icon could show up even though you're sending from Gmail.
Lakhan Chouhan
मेरी फेसबुक आईडी Lakhan Chouhan ahirwar वापस की जाए
Neeraj Kushwah
Hij
محمود عبد الرحمن
Welcome
Yahya Mahommed
Yahya mahommed 8@gmail.com
Karan Bhavel
Hii
Leroy Benjamin
Hi Leroy Benjamin
Rutina Citra Dewi
hello
Moko Sad
Halo gan
Rosemarìe Kapustin
Why do all my em go to drafts indeed you to St. Rosekapustin@gmail.com the other Email
I didn't put that in
Erase that
And stop that Encrypted
I didn't put that in
Erase that
And stop that Encrypted
Yelinn Htike
wechat acc
Hb Nasiruddin Miah
Dnot profit
محمد طه
محمدطه النجاشي
Ngth Btran
anh làm bim b4 phút rồi tài khoản của em bị cái gì á Anh làm ơn anh đăng nhập vô dùm em đi em không có biết đường em
Александр Батманов
Хай
Rj Hay
https://www.dropbox.com/scl/fi/i79gvyco5hfpmkazvj5js/2022-07-29-20.32.46.jpg?rlkey=333bqldl4dfj6xyqvlr0z18iq&dl=0
Anderson Anjos
Senha
Syêd Rabîya
halo
Gyula Istvan Léber
Naná
Agnaldo Edneve Edneve
Ola
Baldev Shah
Hi
Wael Bakri
hi
Kevin Felkins
G
Michal Michal
Ahoj
Joy Flores
Need reg
Thein Htike San
731311299
Thein Htike San
hayaepic879@gmail.com Ml Acc please 🥺
Kuldeep Yadav
Hi
Ankit Rajbhar
https://youtube.com/@ROYAL007GAMINGAK?si=YxWjazIW6WneliPv
Melek Ruhunu Nedaaelruh
👋👋👋🌹🌹
Shubhranshu Mirdha
My game account are deleted recovery
La Chuki Zamarripa Hernández
,🙏🙏
Moses Godwin
It so great
Såñtö Psyçhó
Hlw 🥰
Meissam Rezapuran
Ho
Meissam Rezapuran
Hi please find the attached
F K Wäzïr
My jazz cash app not opening transaction failed showing on login time please rest my jazz cash app account 🙏🙏 please I m praying for you
Vann Davit
Disconnect me, please
Bijoy Sail
bijoyv787@gmail.com
Zeeshan Hussain
Tap on a clip to paste it in the text box.
Melanie McClure
It sounds easy until you do it then you'll find all kinds of extra things to do afterwards.
Roy Baker
Like I said at the end of the day it's okay I'm not mad at nobody man I just wish it would have just been brought to me because I was gonna give it everybody the super opportunity to progress of whatever they wanted to do But I don't complain about what's going on with this I mean these doctors don't look at me right I know what's wrong with me just like mama knew what was wrong with her I just tried giving somebody an opportunity to man it's all good I love God man keep progressing a yawn which I do I'm addressed give me what I ask for please And I'm going promise
Hannah m.pigao
🔪😔
Nijam
I want
April Beadnell
Hey
Emtou Emtou
Emergency
Ice Beltran
uck this crsp
Makara Sem
https://www.facebook.com/notes/376452970167072/
Alfonso Ortiz
S
ေကာင္းဇကား ေကာင္းဇကား
help
Roy Sangma Fartius
Hack my FB ac help
Zoey Sy
Eyow
Elena Cairo
Yes I review now about email encryption FAQ I read and understand
Alexis Domingez Perez
Hola
Sooriakumar Sadasivan
Tqvm for all d protective products being used,for my safety! Without,ur intervention, I presume,my scammers,would hv been hvng,a field day! Really very appreciative for wat is being done,for my privacy n protection 🙂
โสด ไสค
Hi
ประนอม ถิ่นเก๊า
Hi
Khawaja Saleem
iHello everybody 's my name 📛 khzwaja saleem
عزيز الفيتوري
كيف يمكنني أن بريدي الالكتروني و موقعي الإلكتروني مشفران تماما وهل هناك شهادة امان؟
Tiago Freitas
.
Rajib Sk
Subscene
固兒古
對於啥產品啥隱私保護懵懵懂懂
(我的遊戲商店無法正常工作,我的應用程式也無法正常工作,有人檢查了我的郵件和
手機,請幫助自己不要使用我的電話號碼) 還能有這種服務喔?
請問是啥
(我的遊戲商店無法正常工作,我的應用程式也無法正常工作,有人檢查了我的郵件和
手機,請幫助自己不要使用我的電話號碼) 還能有這種服務喔?
請問是啥
Sanky Rathi
Anshul Kumar
Musarik Gujjar
Hello
Hadl Cxb
hdkhan
Palk Tarf
هلا والله
Shfaqat Ali
request #1417788295434667
Luis Souza
fui raqueado
Purwono Putro
Tokopedia@ollshoop.com
Aminul Aminul
manikahmed013@gmail.vom
Aminul Aminul
not mainul aminul. my nsm manik shmed
Aminul Aminul
plz my uj
Aminul Aminul
my name is manik ahmed my user nam
Abdul Sattar
(253) Abdu Sattar
Cox's..123sattar99@gmail.com
Cox's..123sattar99@gmail.com
Më Sælkæ Tïpræßæ Iß
Hii
Joseph Deotoy
Can help to me to recover my Google account and my mobile legend account
Makavana Kumit
kumitmakwana8917@gmail.com.
Shrideyal Singh
Hello
बलिराम सरनेम की रानी
Baliram kirade
6263870344
6263870344
Victor Miranda Garcia
I'm lakei usa i'm love in mexico
Mahmoud Alattar
Hello
Erda Kamarudin
Hello
Illah Illah
B
Vernon Roquemore
I can't verify it
Janathan Jamaica
Jonathan
Bego Gote
Que coño es esto
Redjeff Edlima
y
Kale Kto Moh
3602700498.bibashtharu042@gmail.com
Sumaiya Sumu
sarwarsumaiya391@gmail.com TLS problem slob plz
Morales Rodriguez
Helou
Samar Singh Amar
all ok
Tanveer Ali
Hii
Javid Rashid
I can't very fi.it
Javid Rashid
kia me ne verify kr lea hi guys.
गणेशपचाल मालजीनवाजी
जीधनयवादआपकासुकरिय
Yung Pablow
083879688171heriyang dan
Adnan Ali Adnan Ali
adna34556gmail..com
Zainal Abidin Md Jamil
I badly STARTTLS avoiding 3rd hack activity events.Espcially my android cell phone.tqvm
Nisha SN Jannu
Mara aide looke lagaha please
Koldo
Koldo
Mhno Htet
minthetnaungoo@gmail.com
Mhno Htet
366822839
Tatiana Agresti
Hi l think it was wrong
Clinton Breckenridge
Is is company a clinton e breckenridgejr
Suandi Kadek
ikadeksuandi@gmail.com
Khun Than Htet Oo
aughely@gmail.com
ក្មេង រុក្ខ
permissions@google.com
นิสัย หรือสันดาน
.
Ogu Daliver
Wow,simpl
Karoll Santos
Oi
محمد غلامیان
😘😊😄🤩😍🤗
Pintar Aripin
pintarharipin53@gmail.com
Vijay Bavaliya
Vijay
Vijay Bavaliya
9327179217
YT Taimur
kingtaimur678@gmail.com
YT Taimur
7478095977
စိုန် သကီု
saiploy311@gmail.com
စိုန် သကီု
nonmon20@gmail.com
Khaing Min Oo
Me
Gabriela Montenegro
Hello
Min Thant Thant Zaw
me
أحمد أبو محمد
009647808720717
Vickydwipratama
Cok
Fuleshwar Singh
stulesh799@gmail.com
Sửkoikk Sửkoikk
0328329511
