Configuring an enforced TLS connection from Mailprotector's outbound relay


This article will describe how to configure an enforced TLS connection to a specific domain or group of domains using Mailprotector's SafeSend service.

SafeSend enables you to enforce policies and compliance rules to outbound emails, protecting an organization from data leakage & reputation-damaging spam, viruses, and malware from within.

  • Enforce TLS encryption
  • Works on a single recipient address or an entire domain
  • Gives you peace of mind about the safety of your email data 

With the SafeSend service enabled (see info here), we can create Message Rules for outbound email.

Configuring message rules to enforce a TLS connection to a domain

Once you have the SafeSend product enabled, you will be able to create Message Rules to enforce TLS encryption. This is most commonly used with financial institutions to meet compliance standards.

To configure an enforced TLS connection, you will:

  1. Navigate to the Mailprotector console at
  2. Go to the domain you wish to create a TLS encrypted connection rule for
  3. Navigate to the "Filtering" tab for that domain
  4. Navigate to the "Message Rules" section under the "Filtering" tab                                mceclip0.png 

  5. Select the drop-down that says "incoming" and change it to "outgoing"mceclip2.png

  6. Input a name and click the "Create" button to begin making the rule
  7. Under the "Criteria" section, input the domain you wish to send to via TLS connection in the "To" field in the "Matches any of:" section. NOTE: You can just input the domain. You don't need to toggle the button on the right before typing under "Matches any of:"mceclip4.png

  8. At the top of the page select the "Actions" sectionmceclip6.png

  9. Under the Actions section, toggle on the option to "Relay with TLS Encryption"                   mceclip7.png

  10. Click the back arrow in the top left-hand corner to finish creating the rulemceclip8.png

  11. The rule will appear as disabled in the "Outgoing" section of the rules. You will need to toggle it on for it to be an active rule. Note: If it's already toggled on, you can just leave it on. This will be distinguished by the toggle button being green instead of grey.mceclip9.png

WARNING: If the recipient mail server doesn't support TLS encryption, the message will bounce. The users from the sending domain will receive a bounceback notifying them of the receiving server not being able to establish a TLS connection

Have more questions? Submit a request