Facebook Encourages Email Hosts To Deploy STARTTLS Encryption


By David Cohen

STARTTLSResults650In a study of one day’s worth of Facebook’s notification email logs, the social network found that 76 percent of unique MX host names that receive its emails support the STARTTLS encryption standard, meaning that 58 percent of its emails were successfully encrypted.

Mail Integrity Engineer Michael Adkins offered more details in a note on Facebook’s Protect the Graph page:

Facebook sends several billion emails to several million domains every day. This is mostly comprised of notification emails about various activities on Facebook, as well as account-related emails such as registration confirmations and password resets. We used a single day’s worth of our notification email logs from our production system for this report, since our goal here is to show a snapshot of current deployments, rather than configuration changes over time. These logs contain the kind of data you would expect to find in any email server logs, such as the sender and recipient, where the email came from, and where we are sending it. For the purposes of this report, we only concern ourselves with the STARTTLS results, the recipient’s domain, the MX host name we connected to, and the receiving email server’s IP address.

A lot of sensitive data are sent over email, so we encrypt emails in transit via STARTTLS when available. STARTTLS has been around for 15 years, but we’d heard that it wasn’t widely deployed. To test that perception, we decided to see how many of the notification emails we send are successfully encrypted.

We found that 76 percent of unique MX host names that receive our emails support STARTTLS. As a result, 58 percent of notification emails are successfully encrypted. Additionally, certificate validation passes for about one-half of the encrypted email, and the other half is opportunistically encrypted. 74 percent of hosts that support STARTTLS also provide perfect forward secrecy.

STARTTLS encryption is widely supported and has achieved critical mass despite some issues with certificate management. A system deploying STARTTLS support for the first time can expect more than one-half of its outbound email to be encrypted. Also, the majority of deployments provide perfect forward secrecy. We see two high priority areas for improvement. First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS.

Image of mobile encryption courtesy of Shutterstock.