What is encryption in transit (TLS) and at rest?

Email security requires protection both while data moves and while it's stored. These are complementary but distinct protections.

• Encryption in transit (TLS):
• Protects data as it travels between servers
• SMTP over TLS encrypts the connection between MTAs
• Prevents interception of email content during delivery
• Certificates verify server identity
• Most email now uses TLS; major providers require or strongly prefer it
• Check via headers: "with ESMTPS" indicates TLS was used
• Encryption at rest:
• Protects stored data (databases, logs, backups)
• Encrypts data on disk using keys
• Protects against physical theft or unauthorized access to storage
• Standard practice for ESPs handling customer data
• May be required for compliance (GDPR, HIPAA, PCI)
• What this means for senders:
• Your subscriber data should be encrypted while stored at your ESP
• Messages should use TLS during transmission
• Look for ESPs that document their encryption practices

Note: TLS protects the channel, not the message itself. End-to-end encryption (S/MIME, PGP) encrypts the message content, but these aren't practical for marketing email.

Transit encryption is the armored truck; at-rest encryption is the vault. Both protect the cargo at different points.