How Amazon SES puts PHI at risk

A technical analysis of failures in TLS version, certificate, and plaintext behavior in Amazon's transactional email service.

Download Free Report
REPORT

2025 healthcare email security report

Key insights from 180 email-related healthcare breaches and actionable steps to protect your organization.

 

Download the report

Cybersecurity graphic
REPORT

2025 healthcare email security report

Key insights from 180 email-related healthcare breaches and actionable steps to protect your organization.


Download the report

2025-03-07_REPORT_StateofSecurity-1

Top takeaways

How Amazon SES puts PHI at risk documents what Amazon Simple Email Service does with healthcare email across fourteen controlled tests. The Require TLS setting closes one failure mode and leaves the rest open.

Group 97-1
14

14 controlled tests run against Amazon SES sending infrastructure, each captured with the recipient-side Received header as evidence.

Group 97-1
4

4 invalid certificate tests Amazon SES delivered in full. None were blocke under either configuration.

Group 97-1
2021

IETF retired TLS 1.0 and 1.1 in 2021. Amazon SES still delivers healthcare email over both protocols.

Group 97-1
3

3 of 4 failure modes still pass through with Require TLS enabled. Only the no-encryption case bounces.

Key resources

COMPLETE REPORT
Group 133
How Amazon SES puts PHI at risk
A technical analysis of failures in TLS version, certificate, and plaintext behavior in Amazon's transactional email service.
Download the report
EXECUTIVE SUMMARY
Group 133
How Amazon SES puts PHI at risk
Amazon SES documentation states it requires TLS 1.2. In testing it delivered over plaintext, over retired protocols, and to invalid certificates. The Require TLS setting fixes only the plaintext case.
View executive summary
INFOGRAPHIC
Group 133
What SES delivers, receiver state by receiver state
Every TLS version and certificate state lined up against SES default, SES Require TLS, and Paubox, with the delivery outcome for each.
View infographic
EXCERPT
Group 133
SES documentation says one thing. SES does another.
With Require TLS enabled, Amazon SES delivered over TLS 1.1 and TLS 1.0, the protocols IETF retired in 2021. The Received header recorded each one.
View report excerpt
EXCERPT
Group 133
Default SES sends PHI in plaintext
Amazon SES default is opportunistic TLS. When the receiving server offers no encryption, the message sends in plaintext across the open internet anyway.
View report excerpt
EXCERPT
Group 133
Encrypted is not the same as authenticated
Self-signed and expired certificates all delivered. Amazon SES encrypted the session without verifying who was on the other end of it.
View report excerpt
EXCERPT
Group 133
What secure email looks like
Paubox requires TLS 1.2 or higher with a valid certificate. Anything weaker routes to a patented Secure Message Center instead of sending under weak encryption.
View report excerpt