Enable Opportunistic TLS for Email Server Encryption
Ensure email servers use encryption to protect emails sent over public networks.
Plain language
This control is all about making sure your emails are encrypted when they travel over the internet. By enabling a feature called Opportunistic TLS on your email servers, you're ensuring that emails aren't easily intercepted or read by others. If this isn't set up, confidential information in emails could be exposed to hackers, leading to data breaches and loss of trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for emailSection
Email gateways and serversOfficial control statement
Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure.
Why it matters
Without opportunistic TLS, emails could be intercepted over public networks, exposing sensitive data and undermining organisational trust.
Operational notes
Ensure opportunistic TLS is enabled for inbound/outbound SMTP, use strong TLS settings, valid certificates, and monitor logs for failed TLS handshakes or downgrade attempts.
Implementation tips
-
Look atinstructions specific to your email server software and follow those step-by-step guides
- Email administrators need to regularly update the email server software. Ensure automatic updates are turned on, so security patches are applied as soon as they are available. This helps prevent vulnerabilities that could be exploited to bypass email encryption.
- Managers should train staff on the importance of TLS encryption. They can organise a short briefing session to explain how email encryption protects company data and encourage reporting of any issues with email delivery or security.
- Business owners should engage with a cybersecurity consultant to review their email encryption settings. Schedule an annual review where the consultant checks the configurations and recommends improvements based on the latest security trends and threats.
- Procurement teams should ensure that any new email server solutions are compliant with Australian Cyber Security Centre (ACSC) guidelines. They need to verify that vendors provide support for Opportunistic TLS and will assist with setup and configuration.
Audit / evidence tips
-
Askthe email server configuration file: Request a copy of the server settings showing TLS is enabled
Goodwill display settings indicating TLS is applied for both incoming and outgoing emails
-
Goodincludes a policy that mandates encryption for all email communications over public networks
-
Askrecent server update logs: Request the log or record showing the email server's software was recently updated
Goodhighlights consistent updates, focusing on TLS aspects
-
Askdocumentation on staff training sessions regarding email encryption
Goodshows regular sessions were held and employees are aware of email security practices
-
Askconsultant reports: Request the most recent consultancy review report regarding email server settings. Check the recommendations and evidence of TLS configuration reviews
Goodindicates professional evaluations that reaffirm the use of TLS
Cross-framework mappings
How ISM-0572 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.20 | ISM-0572 requires opportunistic TLS to be enabled on email servers for inbound and outbound connections over public network infrastructur... | |
| Annex A 8.24 | ISM-0572 requires the use of TLS for SMTP connections to provide encryption for email traffic traversing public networks | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.