Amazon Says SES Requires TLS 1.2, But Testing Shows It Often Doesn’t – Here’s What to Do

If you rely on Amazon Simple Email Service (SES) to send transactional or marketing emails, you may have assumed that TLS 1.2 encryption is now mandatory on every delivery. After all, Amazon officially announced that all SES connections must use TLS 1.2 or higher by June 2026. But recent testing by Paubox suggests that the policy is not being fully enforced in practice. Some emails are still transmitted with weaker encryption, or even without encryption at all.

That gap matters for anyone who needs to guarantee end-to-end encryption of their email content, especially when handling sensitive information. Here’s what the test found, why it’s a concern, and how you can take control of your SES encryption settings today.

What Happened: Paubox’s Test

Paubox, a company focused on encrypted email, ran a series of tests against Amazon SES after the TLS 1.2 deadline passed. They found that while many SES connections did use TLS 1.2 or 1.3, a meaningful number of test emails were delivered using TLS 1.0 or 1.1, and some were sent unencrypted over plain SMTP. In other words, Amazon is not uniformly enforcing its own published requirement at the time of writing.

The tests appear to have been conducted using a standard SES setup without additional configuration — meaning the default behavior still permits fallback to weaker protocols. This is not an immediate crisis for all users, but it does mean the “mandatory” label is misleading.

Why This Matters

Email encryption protects the contents of a message while it travels between mail servers. TLS 1.0 and 1.1 are considered obsolete and have known vulnerabilities. If a third party intercepts an email sent with one of these older protocols, they might be able to read or tamper with it.

For businesses handling personally identifiable information, health records, financial data, or confidential communications, relying solely on Amazon’s default settings creates unnecessary risk. Even if your own sending infrastructure is hardened, a gap at the SES relay layer weakens the chain.

It is also worth noting that some receiving mail servers may reject connections that do not use TLS 1.2 or higher. So inconsistent enforcement could lead to occasional delivery failures or degraded reputation scores.

What Readers Can Do

You don’t have to wait for Amazon to flip a switch. SES offers configuration options that let you enforce TLS 1.2 on your own. Here’s how to check your current posture and lock down encryption.

1. Verify which TLS version SES is using for your emails

The simplest way to check is to examine the SMTP logs or email headers from a message sent via SES. Look for a header line like Received: from XXXX by amazon.com with ESMTPA and then a TLS version indicator (TLSv1.2 or TLSv1.3). If you see TLSv1.0 or no TLS mention, your message may have been sent with weak encryption.

You can also use a tool like test-smtp-tls or a manual telnet connection to see what cipher suites SES offers when you connect.

2. Force TLS 1.2 in your SES configuration

To eliminate fallback, you need to set the DeliveryOptions.TlsPolicy to Require in your SES configuration. This can be done via the AWS Management Console, the CLI, or the API.

  • In the AWS SES Console, go to Email SendingSMTP SettingsEdit. Under TLS Policy, select Require.
  • If you are using the AWS CLI, run:
    aws sesv2 put-account-details --tls-policy REQUIRE

When Require is enabled, SES will refuse to send an email if the receiving mail server does not support TLS 1.2 or higher. If the email fails, you’ll get a bounce or a delivery status notification indicating the reason.

3. Test regularly

After applying the policy, send a few test emails to different providers (Gmail, Outlook, a small business mail server) and inspect the TLS version in the headers. Repeat this check periodically — Amazon may change how it enforces the setting over time.

4. Monitor Amazon’s updates

The situation is fluid. Amazon might eventually enforce TLS 1.2 at the relay level regardless of user settings. Watch the SES release notes and official announcements. If they push a change, your manual Require setting should remain compatible, but it is worth confirming.

Sources

  • Business Wire: “Amazon Says SES Requires TLS 1.2. Paubox Testing Shows It Doesn’t.” (June 8, 2026)
  • Paubox test methodology (referenced in the Business Wire article)
  • AWS SES documentation on TLS policy options: docs.aws.amazon.com/ses/latest/dg/tls-policy.html

Encryption policies are only as good as their enforcement. By taking the extra step to require TLS 1.2 in your SES account, you remove the guesswork and protect your email traffic regardless of what Amazon does on its side. It is a simple change that does not affect legitimate delivery and gives you clear visibility into any failures. If email security matters to your business, treat this as a small but worthwhile fix.