Transparency
Search
Search icon
Arrow down icon
Search icon

Email privacy

Our email communications to our users are an important link to hundreds of millions of recipients who use Twitter regularly.

As part of our commitment to continuous improvement in privacy protection, Twitter has enabled a number of email security protocols over the years. Since early 2013, Twitter has supported the security controls Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) with a reject policy to combat phishing and fraudulent email.

In 2014, we began using StartTLS, which encrypts both outbound and inbound emails in transit. Assuming your email provider supports TLS, it also ensures that emails you receive from Twitter have not been read by other parties on the way to your inbox.

In partnership with Message Systems, we have compiled this high-level overview of different providers’ email privacy practices as a way to provide greater transparency and insight to our users around how and when email security protocols are being used.

Click on any of the provider’s names below to see which STARTTLS standards they employ.

 

Email privacy

Updated every 24 hours

Security
Arrow down icon
  • Security
  • Verified
Top domains
Arrow down icon
  • All Domains
  • Top Domains
  • Best Security Domains
  • Good Security Domains
  • Bad Security Domains
  • None Security Domains
Domain Security Verified % Encrypted Ciphers Protocols Algorithm Verification Volume
Results per page
Arrow down icon
  • 10 results per page
  • 50 results per page
  • 100 results per page
  • 1000 results per page

Glossary

Domain

Domain:

The name of the ISP.

Ciphers:

The types of encryption used by that domain.

Protocols:

The versions of TLS (if any) employed in the transmission of the message.

Algorithm bits:

The strength of the encryption itself in bit form, e.g., 128-bit vs. 64-bit encryption.

Verification:

The percentage of traffic from a domain that is verified versus unverified.

Volume:

A logarithmic measure of the relative volume of traffic for the domain.

Security

Security:

How does the ISP use the TLS?

TLS is not used.

TLS is used, but there are some implementation risks.

TLS is used, but Perfect Forward Secrecy is not enabled.

TLS is used and Perfect Forward Secrecy is enabled.

Verified 

Verified:

Could the authenticity of the certificate used in securing the channel be validated?

Authenticity of the ISP's certificate could not be validated.

Some, but not all email traffic, could be verified.

Authenticity of the certificates used for all email communication were validated.

% Encrypted:

Could the authenticity of the certificate used in securing the channel be validated?