What’s the difference between opportunistic and enforced TLS?

Opportunistic TLS and enforced TLS represent different approaches to securing email transmission.

Opportunistic TLS (the default for most email):

Server attempts TLS encryption when connecting to another server

If the receiving server supports TLS, the connection is encrypted

If TLS fails or isn't supported, delivery continues unencrypted

Maximizes deliverability; accepts security tradeoff

Configuration: smtp_tls_security_level = may (Postfix)

Enforced TLS:

Requires TLS for the connection

If TLS isn't available or fails, delivery fails

Guarantees encryption but may prevent legitimate delivery

Used for specific high-security routes

Configuration: smtp_tls_security_level = encrypt (Postfix)

When to use which:

Opportunistic: General email delivery. Most servers support TLS now, so most mail encrypts, but delivery isn't blocked to the minority that don't.

Enforced: When you absolutely require encryption and would rather fail than send unencrypted. Specific partner connections, regulated communications, or internal routes.

Email between major providers (Gmail, Microsoft, Yahoo) uses TLS. The challenge is smaller servers that may not support it. Opportunistic TLS handles this gracefully.