Amazon Says SES Requires TLS 1.2. Paubox Testing Shows It Doesn't.

SAN FRANCISCO--(BUSINESS WIRE)--Emails sent through Amazon Simple Email Service (SES) can be delivered in plaintext, readable by anyone in transit, and the sender never knows. New testing from Paubox found Amazon SES could deliver protected health information (PHI) in email even when encryption fails.

As Paubox CEO Hoala Greevy put it: "TLS being on is not the same as PHI being protected. 'Require TLS' on Amazon SES enforces neither a minimum version nor certificate validation."

Share

The findings come from How Amazon SES puts PHI at risk, published today by Paubox, a leader in HIPAA compliant email security. Paubox engineers ran 14 controlled tests against Amazon SES in Q2 2026, reading each result from the recipient-side Received header.

Amazon's own SES documentation tells developers the service "requires TLS 1.2 and recommends TLS 1.3." In testing, SES delivered over whatever the receiving server offered, including Transport Layer Security (TLS) versions retired by the Internet Engineering Task Force in 2021. The documented requirement is not enforced by SES.

The exposure does not require an attacker. By default SES uses opportunistic TLS, attempting encryption and sending regardless of the outcome. One clinic or specialty lab running an outdated mail server is enough to expose PHI in plaintext. The "Require TLS" setting Amazon provides to fix this only blocked one of the four failure modes tested.

As Paubox CEO Hoala Greevy put it: "TLS being on is not the same as PHI being protected. 'Require TLS' on Amazon SES enforces neither a minimum version nor certificate validation."

Additionally, SES blocked none of the four invalid-certificate tests Paubox performed, delivering encrypted email to servers that could not prove they were the intended recipient. That is the setup for a man-in-the-middle attack, and the sender sees a successful delivery either way.

The HIPAA Security Rule currently treats encryption in transit as "addressable." The rule the U.S. Department of Health and Human Services (HHS) proposed in December 2024 will make it required, a change that could come any day from the HHS. A configuration that quietly drops encryption is about to become a compliance problem.

The full report, How Amazon SES puts PHI at risk, is available today at https://hubs.la/Q04jLhVr0.

About Paubox

Paubox is a leader in HIPAA compliant email security for healthcare. Trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health, Paubox works with your existing platform to secure every email sent and received. Paubox is rated #1 on G2 and is recognized on G2's 2026 Best Healthcare Software Products list. Paubox offers HIPAA compliant email encryption, AI-powered inbound email security, archiving, data loss prevention, a secure email API for transactional messaging, forms, and email marketing.