Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: New Gmail email security with TLS by default and other new features

02 Apr 2020   #1

64-bit Windows 10 Pro
New Gmail email security with TLS by default and other new features

What’s changing

Recently, the Google Security blog outlined how the usage of Transport Layer Security (TLS) has grown to more than 96% of all traffic seen by a Chrome browser on Chrome OS. The blog post also highlighted a significant goal: to enable TLS by default for our Google products and services, and to ensure that TLS works out of the box.

Gmail already supports TLS, so that if the Simple Mail Transfer Protocol (SMTP) mail connection can be secured through TLS, it will be. However, in order to encourage more organizations to increase their email security posture, and to further the above goal of enabling TLS by default, we’ve made the following changes:
  • TLS for mail connections will now be enabled by default
  • Admins are now able to test their SMTP outbound routes’ TLS configuration in the Admin console before deployment. They no longer need to wait for messages to bounce.
While admins have always had the ability to require TLS encryption for mail routes, it was previously off by default. Note that existing mail routes will not be impacted by these changes.

Who’s impacted


Why it’s important

We always recommend that admins enable existing mail security features, including SPF, DKIM, and DMARC, to help protect end users. We also recommend that admins turn on MTA Strict Transport Security (MTA-STS), which improves Gmail security by requiring authentication checks and encryption for email sent to their domains. Enabling TLS by default on new SMTP mail routes enhances the security posture of our customers while enabling admins to test connections before enforcing TLS on existing routes makes it easier for them to deploy best practice security policies.

This change will not impact mail routes that were previously created.

Additional details

TLS enabled by default on new mail routes

With TLS enabled by default for new mail routes, all certificate validation requirements are also enabled by default. This ensures that recipient hosts have a certificate issued for the correct host that has been signed by a trusted Certificate Authority (CA). See more details about how we’re changing the requirements for trusted CAs below.

Admins will still have the ability to customize their TLS security settings on newly created mail routes. For example, if mail is forwarded to third-party or on-premise mail servers using internal CA certificates, admins may need to disable CA certificate validation. Disabling CA certificate validation, or even disabling TLS entirely, is not recommended. We encourage admins to test their SMTP TLS configuration in the Admin console in order to validate the TLS connection to external mail servers before disabling any recommended validations. See more details about how to test TLS connections in the Admin console.

Certificate Authority distrust in Gmail

In the past, the Google Security Blog has highlighted instances where Chrome would no longer trust root CA certificates used to intercept traffic on the public internet and where Chrome distrusts specific CAs.

If these scenarios occur in the future, these certificates will also be distrusted by Gmail. When this happens, mail sent using routes that require TLS with CA-signed certificate enforcement may bounce if the CA is no longer trusted. Although the list of root certificates trusted by Gmail can be retrieved from the Google Trust Services repository, we encourage admins to use the Test TLS Connections feature in the Admin console to confirm whether certificates have been distrusted.

Test TLS connections in Admin console

Admins can now use the new Test TLS Connection feature to verify whether a mail route can successfully establish a TLS connection with full validation to any destination, such as an on-premise mail server or a third-party mail relay, before enforcing TLS for that destination.

Getting started


TLS settings

TLS will be ON by default for all new mail routes. We recommend that admins review all of their existing routes and enable all recommended TLS security options for these routes as well.

Testing TLS connections

Admins who want to require a secure TLS connection for emails can now verify that the connection to the recipient's mail server is valid simply by clicking on the “Test TLS Connection” button in the Admin console; they no longer need to wait for emails to bounce.

Learn more about requiring mail to be transmitted via a secure (TLS) connection and adding mail routes in the Help Center.

All certificate validations are now enabled by default when creating a new TLS compliance setting.

TLS and all certificate validations are now enabled by default when creating a new mail route.

End users: There are no end user settings for these features.

Rollout pace
  • Available to all G Suite customers

My System SpecsSystem Spec
02 Apr 2020   #2

Win 7 Ult 64-bit

Does this mean Gmail will no longer parse your email so they can send targeted ads?
My System SpecsSystem Spec
03 Apr 2020   #3

Windows 7 Ultimate x64

Quote   Quote: Originally Posted by RoWin7 View Post
Does this mean Gmail will no longer parse your email so they can send targeted ads?
No, they just added some more TLS to the mail transport, which of course don't protect mail from the mail server at rest (which they've been doing since a long time ago anyway). Email has never been a secure way to exchange private data anyway.

Unless you (mail sender) actively use PGP on your own computer and the other person (mail recipent) is actively using it too to have end-to-end encryption, email can never be secure.

Of course, they won't do anything that prevents them from reading your mails. Their business is built around stealing private data and selling it to the best bid (or to every single bid)
My System SpecsSystem Spec

03 Apr 2020   #4

Win 7 Ult 64-bit

Thanks, I was afraid Goohell was losing their edge. I don't use any Goohell products except Youtube, after which I scrub my machine with bleach.

Take a look at ProtonMail when you have some time. End-to-end encryption.
My System SpecsSystem Spec
4 Weeks Ago   #5

Win 7 Professional x64 UK (Retail) SP1 & SP2

Google always deliver half truths.
They recently disabled TLS 1.0 and SSL3 that windows XP using as OS supported security protocols.
And therefore Windows XP systems they are totally unable to comply with any newer TLS protocols.
This is why many users now switching to Thunderbird as this using StartTLS and similar fresh protocols.
Ms Outlook any version this count on operating system TLS protocols, under new restrictions the Outlook can only receive but it can not sent anything.

Last update of Win 7 TLS was made at 2016.
If they decide to kill them too, they will disable TLS 1.1
My System SpecsSystem Spec

Thread Tools

Similar help and support threads
Thread Forum
Google Gmail adds Smart Compose, send later, and more features
Source: Google Cloud Blog - News, Features and Announcements
Default email program - change from Gmail in Chrome to MS Outlook 2010
Hi, Silly question. I had to reset my Google Chrome due to a malware check. When I click on a "send email" link in Chrome, a new email pops up in my Gmail browser. However, I would like it to open a new email in MS Outlook 2010. There must be a "set MS Outlook 2010" as default when...
Browsers & Mail
How do I set an SSB running Gmail as my default email client?
I have experimented off and on with various SSBs (Single Site Browsers) in conjunction with web apps such as Gmail and G calendar, usually on my Mac. I have found SisterB SSB, and am using it with Gmail and it works pretty well but I can find no way to make Windows 7 accept it as an email client...
Browsers & Mail
Import email contacts to WLM from gmail - how?
Hi, I have saved my gmail contacts as a .csv file in excel. But, it does give this error message: Although the data is there in excel: Then I try to import to Windows Live Mail as so:
Browsers & Mail
Using Gmail as default email account
When I attempt to respond via email to some sites, they say "send an email" and then offer a link, and that link opens Windows Live email. I do not use Windows Live and wish to have my gmail account opened to allow me to send emails. What I wind up doing is time consuming: I do allow...
Browsers & Mail

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:32.
Twitter Facebook