Issue
Customers sending to recipient servers with email gateway filters services (ex. Proofpoint) may intermittently encounter errors that indicate the encryption is too weak to be accepted by the recipient server. The errors returned by the recipient servers can be as follows:
450 4.7.0 Encryption too weak 128 less than 168
503 5.7.0 Encryption too weak 128 less than 168
Product
Twilio SendGrid Email
Cause
When sending emails using TLS encryption Twilio Sendgrid offers a list of strong encryption methods, including both 256-bit and 128-bit options. Email gateway filters and recipient inboxes will pick which ciphers to use based on their own settings and configurations.
If the gateway filter services accepts ciphers that are weaker than the encryption requirements of the recipient inbox they're filtering for, then the recipient inbox will return a 'Encryption too weak 128 less than 168' and reject the message.
This will seem like the ciphers that Twilio SendGrid uses are not secure enough to deliver to the recipient inbox when in fact it is the the email gateway filter service presenting a weaker cipher to connect with than the recipient server they're filtering for is willing to accept.
Resolution
Resolving this will require customers to reach out to the admin of the recipient server and their email gateway filter service admin. The change needed will be made within the email gateway filter service to ensure that the ciphers that the email gateway filter service provides to Twilio SendGrid to connect with aligns with the cipher requirements on the recipient inbox themselves.