Skip to content

Enforced TLS connections

You can force specific external domains to use Transport Layer Security (TLS) connections for email.


This option is only available with an Email Advanced license.

To manage domain names with TLS connections, go to Global Settings > Enforced TLS Connections.

You can:

  • Add domain names (wildcards are supported).
  • Search the list of domains that already have TLS connection enforced.
  • Change the settings for a domain.
  • Delete domain names from the list.

If you have issues with TLS connections, check that TLS is enabled, with the correct version and correct ciphers. See Adding a new domain name. If you still have problems, contact Sophos Email Support.

For help with email encryption see Email Encryption.

Adding a new domain name

When you add a new domain name to the list, servers connect to and from that domain with TLS. The email gateway connects with servers using TLS 1.2 or later, and with ciphers consistent with our email encryption product. The connection is valid if a STARTTLS ping returns successfully.


Make sure TLS 1.2 is enabled on your email gateway before enforcing it on any domains. Otherwise the connection with Sophos breaks and you cannot send or receive email. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'.

TLS failures

If Sophos Email can't make a TLS connection, email isn't sent. Email is queued for redelivery for 7 days. After this it is deleted.

Logging of TLS connection errors

Each time Sophos Email can't send email due to TLS failures it makes an entry in the history log.

After the final failure, an entry saying that the email was deleted because of TLS policy is added to the log. The entries have this format: "Processing: Check TLS".

Sophos TLS certificate details

These are the details of the certificate we use with TLS connections.

Parameter Value
Common Name *
SANs DNS:*, DNS:*,
Location C=GB, ST=Oxfordshire, L=Abingdon,
Serial Number 42:05:5f:21:c1:9b:e9:f0:e8:8a:bb:0c
Signature Algorithm sha256WithRSAEncryption
Issuer C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018