Enforced TLS needs to be set up on the server that is establishing a connection with the recipient server. That is why if there is Policy-Based Encryption enabled on the account, Enforced TLS should be enabled from Encrypted Mail Gateway (EMG) console.

EMG treats enforced TLS as an alternative to the Message Pickup Center encryption and delivery method. Message sent via enforced TLS method will be delivered directly to the recipient's mailbox. When TLS is blocked, or not available at the recipient side, the next enabled delivery method is used. 

To set up Enforced TLS via EMG:

  1. Log in HostPilotĀ® Control Panel and navigate to Services > Compliance > Email Encryption > click Encrypted mail gateway.
  2. Go to Profile Settings > Update profile:
  3. On the TLS Encryption tab:
    1. check the Enable TLS Encryption box
    2. chose the Enable for listed domains ONLY option
    3. add recipient domains that require enforced TLS and click Add
      Here you have two additional options:
      • Disable encrypt notifications for TLS messages
        This will disable notification sender receives regarding the result of the TLS encryption
      • Disable Certification Validation
        This option will allow TLS connections to an SMTP server that has a certificate which is: expired, self-signed or issued from a different domain.
        Important: this option lowers the security provided by TLS encryption and should only be used as a temporary workaround while the receiving domain resolves their certificate issue.
    4. Click Save Settings

  4. Go to Policies > Recipient & Sender Groups and click Add an email list

  5. Enter the list name and description and add the domains you specified on step 3 to the Email List field or load the list from your machine. Click Save

  6. Go to Policies > Email Policies and click Add policy

  7. Create and save the policy with the following settings:
    1. Status: Enabled
    2. Match Conditions: Any
    3. Conditions: Enable > If: Recipients > Contains: Any > From: Recipient & Sender Groups > List: list you created on step 5 > More than: 0 Times
    4. Mail action: Encrypt

The Message Report will show the DELIVER_TRUSTED_TLS_DIRECT_DOMAIN action for a message sent via enforced TLS:


Important: successful enforced TLS connection can only be accomplished if a recipient domain (target server) supports TLS and has a valid (not self-signed) certificate installed on it.

Note: Intermedia supports enforced TLS for inbound delivery, however, Intermedia cannot control the way recipients reply to the messages sent via enforced TLS on EMG. It depends on whether recipients have policies in place on their side that will trigger their outbound emails to go through enforced TLS.