All Collections
Security
Recommended TLS Cipher Suite Versions
Recommended TLS Cipher Suite Versions

List of secure and insecure cipher suite versions for Transport Layer Security

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

TLS stands for Transport Layer Security and it is a protocol which helps protect your emails by encrypting the connection from the sender to recipient (client to server).

Encryption makes snooping on your emails much harder while they travel on their way to your recipients. Encryption in transit is important so that your emails are read only by the intended recipients and not on their way there.

TLS supports many different methods (algorithms) for exchanging keys, encrypting data, and authenticating message integrity.

Over the years, attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threaty.

The most secure algorithms are:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

They have Perfect Forward Secrecy and Authenticated Encryption.
​

The mid-secure (warning) algorithms are:

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

They have Perfect Forward Secrecy but no Authenticated Encryption.
​

The dangerous algorithms are:

TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
​
They have no Perfect Forward Secrecy.


Please make sure to use one of the most secure algorithms in your TLS configuration.

OnDMARC's Investigate feature enables you to see your current TLS status, and helps you detect and troubleshoot any potential issues with your email authentication from any of your email sending services.

Did this answer your question?