- SSL vs TLS vs STARTTLS: What’s the Difference for Email? (SMTP, IMAP, POP3) | Hosticko
- Table of Contents
- SSL vs TLS vs STARTTLS: meaning (simple definitions)
- Implicit TLS vs STARTTLS (explicit TLS): the real difference
- Common email ports (SMTP, IMAP, POP3)
- What should you choose in your email client?
- Security notes (why STARTTLS can still be risky)
- Quick fixes when settings don’t work
- Related Hosticko guides
- FAQs
SSL vs TLS vs STARTTLS: What’s the Difference for Email? (SMTP, IMAP, POP3) | Hosticko #
SSL vs TLS vs STARTTLS is one of the most common points of confusion when configuring email on Outlook, Thunderbird, Apple Mail, or mobile apps.
The short version: TLS is the modern encryption standard, SSL is the old name many apps still show,
and STARTTLS is a command that upgrades a connection to TLS after it starts in plain text.
Need help picking the right settings for your mailbox? Open a ticket:
https://client.hosticko.com/submitticket.php
SSL vs TLS vs STARTTLS: meaning (simple definitions) #
TLS (Transport Layer Security) #
TLS is the modern encryption protocol used to protect email logins and email traffic between your device and the mail server.
When your client says “TLS”, it means the connection is encrypted.
SSL (Secure Sockets Layer) #
SSL is the older predecessor of TLS. In real-world email apps, “SSL” often means “encrypted connection”
(most servers are actually using TLS under the hood). If your client offers “SSL/TLS”, it generally means “use encryption from the start.”
STARTTLS #
STARTTLS is not a separate encryption protocol. It’s a command used by email protocols (like SMTP/IMAP/POP3)
to upgrade an existing plain-text connection into an encrypted TLS connection without switching to a dedicated “SSL port.”
Implicit TLS vs STARTTLS (explicit TLS): the real difference #
Most confusion comes from the fact that email encryption can start in two ways:
1) Implicit TLS (sometimes shown as “SSL/TLS”) #
- The connection is encrypted immediately from the first second.
- It uses dedicated “secure” ports (examples below).
- Often described as “SSL” in older clients, but it’s typically TLS today.
2) STARTTLS (explicit TLS upgrade) #
- The connection starts unencrypted, then the client sends a STARTTLS command to upgrade to TLS.
- It usually uses the “standard” ports (examples below).
- Correctly configured, the final connection becomes encrypted—but the negotiation begins in plain text.
Common email ports (SMTP, IMAP, POP3) #
These are the typical ports you’ll see in email client settings. Use the secure options whenever possible.
| Service | Encryption Type | Common Port(s) | What it means |
|---|---|---|---|
| IMAP (Incoming) | STARTTLS | 143 | Connect on 143, then upgrade using STARTTLS |
| IMAP (Incoming) | Implicit TLS (SSL/TLS) | 993 | Encrypted immediately from connection start |
| POP3 (Incoming) | STARTTLS (sometimes “STLS”) | 110 | Connect on 110, then upgrade to TLS |
| POP3 (Incoming) | Implicit TLS (SSL/TLS) | 995 | Encrypted immediately from connection start |
| SMTP (Outgoing) | STARTTLS (Recommended for submission) | 587 | Connect on 587, authenticate, then encrypt via STARTTLS |
| SMTP (Outgoing) | Implicit TLS (SSL/TLS) | 465 | Encrypted immediately from connection start |
Your mail app may show dropdown values like “SSL/TLS”, “TLS”, or “STARTTLS”.
The key is: choose an option that results in an encrypted connection (either implicit TLS or STARTTLS).
What should you choose in your email client? #
For most Hosticko mailbox setups, these choices are safe and widely supported:
Recommended (most common) #
- Incoming IMAP: IMAP over SSL/TLS on 993
- Outgoing SMTP: SMTP with STARTTLS on 587 (SMTP authentication enabled)
Also acceptable #
- SMTP over SSL/TLS on 465 (implicit TLS), if your client prefers it
- POP3 over SSL/TLS on 995, if you truly need POP3 (IMAP is better for sync)
Avoid “None” / “Unencrypted” options. They expose your email password and traffic to interception on untrusted networks.
Security notes (why STARTTLS can still be risky) #
STARTTLS is widely used, but because the connection begins in plain text, it can be vulnerable to downgrade/stripping attacks
on hostile networks if encryption is not strictly enforced. For this reason, modern guidance encourages strong TLS usage and
avoiding cleartext fallbacks where possible.
- Good: STARTTLS when your client/server enforce TLS properly and do not allow fallback to plain text.
- Better: implicit TLS where appropriate (encryption from the first packet).
- Best practice: always use encryption + valid certificates to prevent man-in-the-middle risks.
Quick fixes when settings don’t work #
1) “Certificate not trusted” warnings #
- Make sure you’re using the correct server name (often
mail.yourdomain.comor your server hostname). - Try switching between 587 (STARTTLS) and 465 (SSL/TLS) for SMTP.
- Ensure your device date/time is correct (wrong time can break certificate validation).
2) Can receive mail but cannot send #
- Enable SMTP authentication (this is required in most clients).
- Use port 587 with STARTTLS first, then try 465 if needed.
3) Works on mobile data but fails on office Wi-Fi #
- Some networks block outbound mail ports. Try 587 first.
- If still blocked, contact your network admin to allow required ports.
FAQs #
Is SSL the same as TLS? #
Not exactly. SSL is the older technology; TLS is the modern standard. Many apps still label encrypted connections as “SSL”
even when TLS is used in practice.
Is STARTTLS secure? #
STARTTLS is secure when TLS is successfully negotiated and enforced, but it begins as plain text, so strict enforcement and valid certificates matter.
Which is better: 465 or 587 for SMTP? #
Both can be secure. Port 587 with STARTTLS is very common for mail submission, and 465 is used for implicit TLS in many setups.
Use whichever your client supports best, and always keep SMTP authentication enabled.
