Email privacy

Our email communications to our users are an important link to hundreds of millions of recipients who use Twitter regularly.

As part of our commitment to continuous improvement in privacy protection, Twitter has enabled a number of email security protocols over the years. Since early 2013, Twitter has supported the security controls Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) with a reject policy to combat phishing and fraudulent email.

In 2014, we began using StartTLS, which encrypts both outbound and inbound emails in transit. Assuming your email provider supports TLS, it also ensures that emails you receive from Twitter have not been read by other parties on the way to your inbox.

In partnership with Message Systems, we have compiled this high-level overview of different providers’ email privacy practices as a way to provide greater transparency and insight to our users around how and when email security protocols are being used.

Click on any of the provider’s names below to see which STARTTLS standards they employ.

 

Email privacy

Updated every 24 hours

Domain Security Verified % Encyrpted Ciphers Protocols Algorithm Verification Volume

Glossary

Domain

Domain:

The name of the ISP.

Ciphers:

The types of encyrption used by that domain.

Protocols:

The versions of TLS (if any) employed in the transmission of the message.

Algorithm bits:

The strength of the encryption itself in bit form, e.g., 128-bit vs. 64-bit encryption.

Verification:

The percentage of traffic from a domain that is verified versus unverified.

Volume:

A logarithmic measure of the relative volume of traffic for the domain.

Security

Security:

How does the ISP use the TLS?

TLS is not used.

TLS is used, but there are some implementation risks.

TLS is used, but Perfect Forward Secrecy is not enabled.

TLS is used and Perfect Forward Secrecy is enabled.

Verified 

Verified:

Could the authenticity of the certificate used in securing the channel be validated?

Authenticity of the ISP's certificate could not be validated.

Some, but not all email traffic, could be verified.

Authenticity of the certificates used for all email communication were validated.

% Encrypted:

Could the authenticity of the certificate used in securing the channel be validated?