When TLS fails
Forcepoint Email Security Cloud does not deliver a message in the clear if the policy dictates that it should use TLS. If TLS cannot be used when dictated by the policy, Forcepoint Email Security Cloud rejects the message. The report that is returned to the sender is dependent upon their email server.
| Condition | Action when TLS cannot be started | Message Center reporting for the log entry |
|---|---|---|
| You try to send email to the service from a connection specified as secure. | The service rejects the email with a permanent error. Your email server should send a non-delivery notification to the sender. | TLS (not verified) - message rejected |
| The service tries to send email to a third-party domain specified in the secure transport policy. | The service rejects the email with a reason “cannot start TLS”. Your email server should send a non- delivery notification to the sender. | Email is shown as “clean” because it was accepted from the customer, but the log indicates that onward delivery failed. |
| A third party tries to send email to the service from a connection specified in the secure transport policy. | The service rejects the email with a permanent error. The third party’s email server should send a non- delivery notification to the sender. | TLS (not verified) - message rejected |
| The service tries to send an email to you through a connection specified as secure. | The service rejects the email with a reason “cannot start TLS”. The third party’s email server should send a non-delivery notification to the sender. | Email is shown as “clean” because it was accepted from the third party, but the log indicates that delivery failed. |