Determine TLS version when using SMPT in Amazon SES

Question

Amazon SES will soon stop supporting TLS 1.0 and TLS 1.1 in their SMTP interface.

We believe that a change in our code will force TLS 1.2 but we are not 100% sure.

How can we check on Amazon SES side if emails are sent with TLS 1.2?

We found https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints/ but this seems to only apply to using TLS for the API endpoints, not for the SMTP interface.

Answer 1

Detecting Client IPs

AWS team will send out reminder email including details on the TLS 1.0 or TLS 1.1 connections detected from your AWS account to SES using Simple Mail Transfer Protocol (SMTP). Or you can identify client IPs (server IPs hosted your application using SES) by yourself with this AWS re:Post article.

Checking TLS version

If you are not sure which TLS version is currently used by your application, I suggest to test by sending out a sample email. After you have received test email, you right click and find View Source for Outlook or Show Original for Gmail. Then you will know which TLS version you have been using as per below screenshot.

Change your code or not?

If your client software application was built after 2014 using AWS SDK, AWS CLI, JDK 8 or later, or another modern development environment, you do not need to update application code to use TLS 1.2. Otherwise, you will likely need to update. More details can be found here.