Wait, Does Amazon SES Actually Require TLS 1.2? Here's What We Found

Wait, Does Amazon SES Actually Require TLS 1.2? Here’s What We Found

If you use Amazon Simple Email Service (SES), you might have noticed a change in the documentation: TLS 1.2 is now listed as required. That sounds straightforward. But a recent set of tests done by Paubox, a HIPAA-compliant email provider, suggests the reality is more nuanced. Their findings show that SES still accepts connections using TLS 1.0 and 1.1, at least for now. So what does that mean for your email setup and security posture? Let’s walk through the details and what you should do.

What Happened

Amazon’s official SES documentation has stated that TLS 1.2 is required for all inbound and outbound connections. This is consistent with broader industry moves to deprecate old encryption protocols. However, Paubox’s engineering team ran a series of tests by initiating SMTP connections to SES endpoints while explicitly negotiating TLS versions 1.0, 1.1, and 1.2. According to their results, SES accepted connections using all three versions, with no rejection or warning for the older ones.

The findings were shared via Business Wire and other outlets. It’s important to note that these tests were done on standard SES endpoints, and Amazon has not updated its documentation to reflect any grace period. The discrepancy raises questions about whether enforcement is still coming, or if the documentation is simply ahead of the actual policy.

Why It Matters

TLS (Transport Layer Security) is the protocol that encrypts email as it travels between servers. Older versions—TLS 1.0 and 1.1—have known vulnerabilities (POODLE, BEAST) and are deprecated by major security standards, including PCI DSS and NIST. Continuing to use them exposes your email traffic to interception and tampering.

For businesses that handle sensitive data like healthcare or financial information, compliance requirements often mandate TLS 1.2 or higher. If your system still relies on TLS 1.0 or 1.1 to connect to SES, you might be out of compliance even if the emails are delivered.

The fact that SES still accepts older connections is not an endorsement of their safety. It may reflect a gradual rollout or a configuration that hasn’t been enforced yet. Amazon could flip the switch at any time, and if your applications aren’t prepared, you’ll face delivery failures.

What Readers Can Do

You don’t need to panic, but you should verify your environment and plan an upgrade if needed. Here are the practical steps.

1. Test Your Connection’s TLS Version

Run a simple SMTP test from your server to SES. For example, using OpenSSL:

openssl s_client -connect email-smtp.us-east-1.amazonaws.com:587 -starttls smtp -tls1_2

Try the same with -tls1_1 and -tls1. If all succeed, your system might still be connecting with old versions depending on your code or configuration. Check the negotiated cipher and version in the output.

You can also use the sslyze tool to scan SES endpoints.

2. Review Your Application Code and SMTP Libraries

Many email libraries (e.g., PHPMailer, Python’s smtplib) default to the highest available TLS version. But if you hardcoded a specific version or are using an outdated library, you could be locking into TLS 1.0 or 1.1. Check your code:

Look for tls_version or ssl_protocols settings.
Make sure your library version supports TLS 1.2. For example, Python 2.7’s smtplib may not negotiate 1.2 unless patched.

3. Update Email Clients and SMTP Relays

If you use a third-party SMTP relay that connects to SES, verify that it supports TLS 1.2. The relay might be the one downgrading the connection, and you have no control without contacting your provider.

4. Set SMTP Client to Require TLS 1.2 or Higher

In your code, explicitly require TLS 1.2. In Python:

import ssl, smtplib
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
server = smtplib.SMTP("email-smtp.us-east-1.amazonaws.com", 587)
server.starttls(context=context)

For PHP with PHPMailer:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => true,
        'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
    )
);

5. Monitor Amazon’s Announcements

Amazon will likely enforce TLS 1.2 eventually. Subscribe to the SES release notes and check the AWS Security blog for any deprecation announcements. Consider enabling SES event publishing to track delivery failures in case policies change.

The Bottom Line

Amazon’s documentation says TLS 1.2 is required; real-world testing shows older versions still work. That’s a temporary gap that you shouldn’t rely on. The safest course is to upgrade now rather than wait for enforcement to break your email pipeline. For compliance and security, TLS 1.2 or later should be your baseline.

Stay proactive, test your setup, and make sure your code and infrastructure are ready for the inevitable change. Email encryption isn’t something to gamble on.

Sources

Amazon SES documentation (TLS requirements)
Paubox testing results as reported by Business Wire (June 2026)
OpenSSL, sslyze documentation for TLS testing

What Happened#

Why It Matters#

What Readers Can Do#

1. Test Your Connection’s TLS Version#

2. Review Your Application Code and SMTP Libraries#

3. Update Email Clients and SMTP Relays#

4. Set SMTP Client to Require TLS 1.2 or Higher#

5. Monitor Amazon’s Announcements#

The Bottom Line#