what encryption at rest and in transit means for AI agent email
AI agent email is vulnerable in two places: on the wire and on disk. Here's what encryption at rest and in transit actually protects.
Your AI agent's email exists in two states: moving between servers, and sitting in storage waiting to be read. Each state has a different attack surface. Each needs its own encryption layer.
Most developers hear "encrypted email" and assume the entire pipeline is protected. That's rarely true. Encryption in transit protects data while it moves. Encryption at rest protects data once it's stored on disk. Miss either one and there's a window where your agent's email content (verification codes and credentials, password resets and customer messages) is readable by anyone with access to the right system.
For human-operated email, this risk stays theoretical most of the time. For autonomous agents processing hundreds of messages without human review, it's a practical exposure that compounds with every polling cycle.
If you'd rather skip the infrastructure audit, LobsterMail encrypts agent email in both states by default. , and both layers are handled from day one.
Encryption in transit: protecting email on the wire#
Encryption in transit means TLS (Transport Layer Security) wraps email data in an encrypted tunnel as it moves between servers. Your agent sends a message. TLS encrypts the payload in flight. Anyone intercepting traffic between the two mail servers sees gibberish instead of your email body.
The catch is that TLS between mail servers is often "opportunistic." If the receiving server doesn't support TLS, the sending server quietly falls back to plaintext. No error, no warning. Your agent's email just crosses the internet unencrypted, visible to any network observer along the route.
Warning
Opportunistic TLS is the default in most SMTP implementations. Your agent's outbound email may travel in plaintext without any warning or error in your logs.
This isn't a theoretical edge case. Google's email transparency data has tracked TLS adoption for years, and a persistent fraction of traffic between major providers still falls back to plaintext because one side can't negotiate encryption. For agent infrastructure, where the receiving server might be a hastily configured mail transfer agent, that fraction is likely larger.
Enforced TLS (sometimes called "mandatory TLS") refuses to send if the receiving server can't negotiate an encrypted connection. Safer, yes, but it means some messages won't deliver at all. That tradeoff matters when your agent needs to reach arbitrary recipients across different mail providers. A failed delivery can break an entire workflow, from order confirmations to verification code loops.
There's no perfect answer here. Enforced TLS is more secure but can silently kill deliverability to poorly configured recipients. Opportunistic TLS maintains delivery rates but can't guarantee encryption. The practical approach for most agent deployments: enforce TLS for API connections between your agent and its email provider, and accept opportunistic TLS for outbound delivery to external recipients. This locks down the leg you control while preserving deliverability for the leg you don't.
Encryption at rest: protecting stored email#
Email doesn't stop being vulnerable once it arrives. Encryption at rest protects messages sitting on a server's hard drive or cloud storage volume, ensuring that physical access to the hardware doesn't expose content.
This matters more than most people think. Cloud providers store data on shared infrastructure. A misconfigured storage bucket or a compromised backup can expose stored emails in ways that have nothing to do with your application's security posture. The 2023 Microsoft Storm-0558 breach showed exactly this: attackers extracted a signing key from a crash dump that should have been scrubbed, illustrating how stored data becomes vulnerable through paths no one anticipated.
For AI agents, encryption at rest carries extra weight because agents accumulate email. A human might delete or archive old messages periodically. An agent often retains everything for context, building a growing dataset of sensitive information in one location. Verification codes, password reset links, financial notifications, customer correspondence: the pile grows with every polling cycle, and so does the blast radius of a storage-level breach.
Standard encryption at rest uses AES-256, applied either at the storage volume level (full-disk encryption) or at the application level (each record encrypted individually before storage). Volume-level encryption protects against physical theft of hardware. Application-level encryption protects against unauthorized access from other processes on the same machine. The best providers use both.
The ENCRYPT.md protocol, an open-source data protection framework for AI agents, classifies email content as "Sensitive" data requiring encryption in transit. API keys and passwords found within emails are classified as "Critical," requiring encryption both at rest and in transit with no exceptions. If your agent processes email containing either category, both encryption layers are non-negotiable.
Why agents face different encryption risks than human email users#
Human email users benefit from decades of security improvements baked into Gmail and Outlook. These services enforce TLS by default, encrypt stored messages, and handle key rotation automatically. Most humans never think about email encryption because their provider solved it years ago.
AI agents usually aren't sending through Gmail. They're running on custom infrastructure or third-party API services where encryption defaults vary wildly. I've seen agent deployments where the email server supported TLS but the agent's client library was configured to skip certificate verification for "convenience." That's encryption in name only, and no one caught it because the agent doesn't complain.
The deeper issue is visibility. When a human sends email through Gmail, a lock icon indicates TLS status. Agents don't see lock icons. They fire off a message and move on. Without explicit logging of TLS negotiation results, you won't know whether a given message traveled encrypted or in plaintext. The same blind spot applies to storage: is the database encrypted? Are encryption keys stored separately? Are backups encrypted?
These questions have answers, but most agent frameworks don't surface them. Your agent can handle plenty of email challenges on its own, but auditing its provider's encryption posture isn't one of them. That's your job, and it starts before you write the first line of agent code.
What to verify before connecting your agent#
Before trusting any email service with your agent's data, check five things:
- TLS enforcement on API connections. Your agent's connection to the email service should require TLS 1.2 or higher. No plaintext fallback.
- Outbound TLS policy. Does the provider attempt TLS for all outbound delivery? What happens when a recipient server doesn't support it? A good provider logs TLS negotiation outcomes so you can audit delivery security after the fact.
- At-rest encryption algorithm. AES-256 is the standard. Anything weaker is a red flag. Ask whether encryption is applied at the volume level, application level, or both.
- Key management. Encryption keys should live in a dedicated key management service, not on the same disk as the encrypted data.
- Tenant isolation. Are your agent's emails stored separately from other customers' data? Shared encryption keys across a multi-tenant system mean one breach can expose everyone.
Tip
If the provider can't answer these questions clearly, or the answers are buried behind a sales call, look elsewhere. Encryption details should be documented, not negotiated.
How LobsterMail handles both layers#
LobsterMail encrypts all agent email in transit using TLS 1.2+ on every API connection. There's no plaintext fallback between your agent and LobsterMail's servers. For outbound delivery to external recipients, TLS is negotiated with the receiving server and enforced where supported.
At rest, all stored emails use AES-256 encryption. Each account's data is isolated, so a compromise of one account doesn't cascade to others. Encryption keys are managed through a dedicated key management service, rotated on a regular schedule, and stored separately from the encrypted data. For more on how LobsterMail protects email content from other attack vectors like prompt injection, see the security and injection documentation.
None of this requires configuration. Encryption is on by default for every inbox, on every plan, including the free tier. Your agent calls inbox.receive() and gets messages that were encrypted at every stage of their journey. No TLS settings to toggle, no encryption parameters to verify, no key rotation to manage.
If your agent hits a 550 rejection or delivery failure, the issue is with the recipient's server policy, not your encryption setup. That distinction saves hours of debugging when you're troubleshooting at 2 AM.
Encryption isn't a feature you bolt on after launch. It's either built into the system from day one, or it's a vulnerability waiting for the wrong moment. If your agent sends and receives email through any provider, verify both layers before your next deployment.
Frequently asked questions
Does LobsterMail encrypt email at rest?
Yes. All stored emails are encrypted with AES-256. Encryption keys are managed through a dedicated key management service and stored separately from the data.
What TLS version does LobsterMail use?
LobsterMail requires TLS 1.2 or higher on all API connections. There is no plaintext fallback between your agent and LobsterMail's servers.
Is email encryption included on the free plan?
Yes. Encryption at rest and in transit is enabled by default on every plan, including the free tier. There's nothing extra to configure or pay for.
What's the difference between encryption at rest and encryption in transit?
Encryption in transit (TLS) protects email while it moves between servers. Encryption at rest (AES-256) protects email while it sits on disk. You need both to cover the full lifecycle of a message.
Can my agent verify that an outbound email was sent over TLS?
That depends on your email provider. Some providers log TLS negotiation results for each sent message. Check your provider's delivery logs or API response metadata for TLS status per message.
What happens if the recipient's mail server doesn't support TLS?
With opportunistic TLS, the message may be delivered in plaintext. With enforced TLS, the message is rejected instead of sent unencrypted. LobsterMail enforces TLS on API connections and uses opportunistic TLS for outbound delivery to external servers.
Is encryption at rest the same as end-to-end encryption?
No. Encryption at rest protects data on the storage medium against physical or unauthorized access. End-to-end encryption means only the sender and recipient can decrypt the message, with no access by the email provider. Standard email infrastructure uses at-rest and in-transit encryption, not end-to-end.
Do I need to configure encryption settings in the LobsterMail SDK?
No. Encryption is handled at the infrastructure level automatically. Your agent uses the SDK normally and both encryption layers are active without any setup.
Are email attachments encrypted too?
Yes. Attachments are part of the email message body and receive the same encryption treatment, both in transit via TLS and at rest via AES-256.
What compliance frameworks require email encryption?
GDPR requires encryption of personal data. SOC 2 Type II evaluates encryption controls. ISO 27001 covers information security management. The EU AI Act (2026) includes data protection requirements for AI systems. Email encryption at rest and in transit helps satisfy all of these frameworks.
Does tenant isolation affect encryption security?
Yes. LobsterMail isolates each account's data separately, so a compromise of one account does not expose any other account's encrypted data.
Can I use a custom domain and still get full encryption?
Yes. Custom domains get the same encryption at rest and in transit as default lobstermail.ai addresses. See the custom domains guide for setup details.
