Prerequisites for advanced encryption

To use advanced encryption, you must have a TLS certificate on the server designated as an outbound connection. This certificate must meet the following requirements:

• The certificate is issued by a supported certificate authority. For a list of supported CAs, see the knowledge base article trusted certificate authorities
• Wildcard certificates are supported. Note that multi-level subdomains (for example, sub2.sub1.mydomain.com) are not supported with a standard subdomain wildcard certificate (for example, *.mydomain.com).
• Subject Alternative Name (SAN) certificates are not fully supported. Only the name listed as the Common Name (CN) will be recognized. Any names defined as SANs will be ignored.
• The Subject CN of the certificate must match the outbound connection’s fully- qualified domain name (FQDN).

In addition, note the following requirements for your TLS connection:

• The sending IP address must resolve to the outbound connection’s FQDN.
• The outbound connection’s FQDN must resolve to the sending IP address.
• Your MTA’s sending HELO string must match the outbound connection’s FQDN.

For more information about TLS, see Transport Layer Security.