Outbound policy enforced tls mail flow – Google Message Security for Google Apps Administration Guide User Manual

Transport Layer Security

309

This diagram shows the flow of TLS messages between servers:

•

Stage 1: The sending server sends a message via TLS to the email protection
service, which will only accept TLS messages if the sending domain is listed
in Policy Enforced TLS.

Without Policy Enforced TLS, you can set the email protection service to defer
all messages if TLS is not possible, or to deliver them.

With Policy Enforced TLS, you can name specific sender domains which must
be encrypted. If a message from one of these domains cannot be encrypted
with TLS, it will always be deferred.

The deferral message for inbound messages is:

451 STARTTLS is required for this sender - psmtp

The deferral is handled by the sending server. Most sending servers will
continue to attempt to send the message for up to five days.

•

Stage 2: The message security service connects to Google Apps Mail by TLS.

As noted above, messages are decrypted in memory for virus and junk mail
processing, then encrypted again when sent to you. In some instances, mail
delivered via TLS is stored unencrypted. Quarantined messages are stored
unencrypted in our secure network, and then delivered encrypted to Google Apps
Mail when delivered from the Message Center. Both the quarantine summary
message links and the Message Center allow users to display the messages in a
browser via HTTP (not secure).

Outbound Policy Enforced TLS Mail Flow

If you have Policy Enforced TLS enabled for outbound mail, you can specify a list
of sending domains. Mail to these domains will always be encrypted. For
outbound mail traffic, the email protection service acts as a proxy between the
Google Apps Mail and the receiving server.