What is encryption in transit (TLS) and at rest?

Email security requires protection both while data moves and while it's stored. These are complementary but distinct protections.

Encryption in transit (TLS):

Protects data as it travels between servers

SMTP over TLS encrypts the connection between MTAs

Prevents interception of email content during delivery

Certificates verify server identity

Most email now uses TLS; major providers require or strongly prefer it

Check via headers: "with ESMTPS" indicates TLS was used

Encryption at rest:

Protects stored data (databases, logs, backups)

Encrypts data on disk using keys

Protects against physical theft or unauthorized access to storage

Standard practice for ESPs handling customer data

May be required for compliance (GDPR, HIPAA, PCI)

What this means for senders:

Your subscriber data should be encrypted while stored at your ESP

Messages should use TLS during transmission

Look for ESPs that document their encryption practices

Note: TLS protects the channel, not the message itself. End-to-end encryption (S/MIME, PGP) encrypts the message content, but these aren't practical for marketing email.

Transit encryption is the armored truck; at-rest encryption is the vault. Both protect the cargo at different points.