AWS Security ChangesHomeSearch

AWS ses documentation change

Service: ses · 2025-09-28 · Documentation low

File: ses/latest/dg/security-protocols.md

Summary

Clarified opportunistic TLS implementation details (STARTTLS usage and connection flow)

Security assessment

Adds technical specifics about TLS encryption methods but does not indicate a security vulnerability fix. Enhances documentation of existing security protocols without evidence of addressing a specific security issue.

Diff

diff --git a/ses/latest/dg/security-protocols.md b/ses/latest/dg/security-protocols.md
index f6e11dfa6..d8f50480b 100644
--- a//ses/latest/dg/security-protocols.md
+++ b//ses/latest/dg/security-protocols.md
@@ -38 +38 @@ While TLS 1.3 is our default delivery method, SES can deliver email to mail serv
-By default, Amazon SES uses _opportunistic TLS_. This means that Amazon SES always attempts to make a secure connection to the receiving mail server. If Amazon SES can't establish a secure connection, it sends the message unencrypted.
+By default, Amazon SES uses _opportunistic TLS_. Opportunistic TLS in SES always uses STARTTLS and does not include the TLS Wrapper. The flow involves establishing an initial plaintext connection, followed by upgrading to a TLS-encrypted session if both the client and server support STARTTLS. If SES can't establish a secure connection, it sends the message unencrypted.