How safe are Facebook’s notification emails?


When Facebook sends out emails about notifications — such as a tagged photo or a friend request — it’s usually encrypted with plain text communication protocol STARTTLS, creating a more secure connection. The program has been around for 15 years, but Facebook heard it wasn’t widely deployed. The company wanted to test their own email systems to see how many notification emails were encrypted with STARTTLS.

Facebook found that 76 percent of unique MX hostnames that receive email notifications (which can be in the billions per day) support STARTTLS. Then 58 percent of notification emails are successfully encrypted. Certificate validation passes for roughly half of encrypted email and the other half is opportunistically encrypted. Facebook pointed out that 74 percent of hosts that support STARTTLS also provide Perfect Forward Secrecy.

Facebook’s Michael Adkins, a Mail Integrity Engineer, explained the methodology of this test:

Facebook sends several billion emails to several million domains every day. This is mostly comprised of notification emails about various activities on Facebook as well as account-related emails such as registration confirmations and password resets. We used a single day’s worth of our notification email logs from our production system for this report, since our goal here is to show a snapshot of current deployments rather than configuration changes over time. These logs contain the kind of data you would expect to find in any email server logs, such as the sender and recipient, where the email came from, and where we are sending it. For the purposes of this report we only concern ourselves with the STARTTLS results, the recipient’s domain, the MX hostname we connected to, and the receiving email server’s IP address.

Adkins also made his pitch for wider adoption of STARTTLS:

STARTTLS encryption is widely supported and has achieved critical mass despite some issues with certificate management. A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted. Also, the majority of deployments provide Perfect Forward Secrecy. We see two high priority areas for improvement. First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS.

Image courtesy of Shutterstock.