Warning in Gmail: "Some recipients use services that don't support encryption"

When I send fra a Gmail to some domains, I get the warning: Some recipients use services that don't support encryption

I have 2 different domains. On the same mailserver, with the same setup, but on one domain I get this warning, on the other domain i don't.

Any idea what causes this warning, and how to resolve it?

Google does not give much help.

/Jan
dk_jbAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Any messages that Gmail users send or receive from email providers that don't support TLS encryption will be flagged with a tiny unlocked padlock icon and that error. Specifically, either one of below may have cause this red icon to appear.
1. Incoming messages that didn’t use TLS.
2. Gmail will also show when you’re sending messages to services that don’t use TLS when accepting mail.
3. Encryption hasn't worked for a certain email provider in the past
4. Gmail isn't directly sending the message. For example, this icon might show up if you've set up a custom domain name, such as name@yourdomain.com.

It may be one of first two reasons (1 or 2)   for the different domain mentioned. In this case, encrypting 100% of all email on the Internet requires the cooperation of all online mail providers.

The other two (3 or 4) are wrongly tagged. So it is false positive as acknowledged.
https://support.google.com/mail/answer/7039474

Can check the email header from more info on the a/m scenario to identify which is the case.
dk_jbAuthor Commented:
Hi LVL 65,

Both domains are on the same mailserver, and uses TLS, when available.
TLS was enabled on the server long time ago, and therefore, at the same time for both domains.

How will Gmail, know if a domain uses TLS, the open padlock appears in a split-second, even on a domain, that I have never send to before.

What headers are we talking about to or from Gmail?

/Jan
btanExec ConsultantCommented:
Google does it by checking past records which probabky may not be updated if  that domain is already having to support TLS.

Past messages sent to the recipient's domain are used to predict whether the message you're sending won't be reliably encrypted. See this and you can try testing out the domain -

What is being counted in this report?

We count message recipients, not SMTP connections.  We don’t count emails our systems flag as spam.  We don’t count inbound messages from hosts whose forward or reverse DNS is missing or inconsistent.  This is to ensure that inbound messages can be meaningfully attributed, since a message sender can assert any “From” address that he wants.
https://transparencyreport.google.com/safer-email/overview

The mail has a header details which it traces the different mail servers before it is delivered to your inbox. See example.
https://community.letsencrypt.org/t/how-to-meet-gmails-new-2016-email-tls-requirement-red-lock/28097/2
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

dk_jbAuthor Commented:
Hi LVL 65,

The headers looks like this:
Received: from gn35.gullestrupnet.dk (gn35.gullestrupnet.dk. [89.249.3.135])
        by mx.google.com with ESMTPS id z64si2164808wmc.261.2017.11.16.21.53.44
        for <gullestrupnet.jb@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Thu, 16 Nov 2017 21:53:44 -0800 (PST)

So if I understand you right, it's send with TLS, and it's just a matter of time, before Gmail has received enough, to change it's valuation from usafe to safe?

/Jan
btanExec ConsultantCommented:
Yes. Looks like it has TLS in place already.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.