Merge pull request #35916 from VanMSFT/vanmsft/work-2025-11-24

prmerger-automator[bot] · web-flow · commit 1dfd780f100b · 2025-12-01T18:36:24.000Z
Database Mail | Add TLS 1.3 support documentation
diff --git a/docs/relational-databases/security/networking/tls-1-3.md b/docs/relational-databases/security/networking/tls-1-3.md
@@ -3,10 +3,10 @@ title: TLS 1.3 support
 description: This article discusses TLS 1.3 support with SQL Server 2022 and Azure SQL Database.
 author: srdan-bozovic-msft
 ms.author: srbozovi
-ms.date: 11/18/2025
+ms.date: 11/24/2025
 ms.service: sql
 ms.subservice: security
-ms.topic: conceptual
+ms.topic: concept-article
 ms.custom:
   - ignite-2025
 monikerRange: ">=sql-server-ver16 || =azuresqldb-mi-current || =azuresqldb-current || >=sql-server-linux-ver16 || =fabric-sqldb"
@@ -61,6 +61,7 @@ Currently, the following operating systems support TLS 1.3:
 - [Merge replication](../../replication/merge/merge-replication.md#configure-tls-13-encryption)
 - [Snapshot replication](../../replication/snapshot-replication.md#configure-tls-13-encryption)
 - [Log shipping](../../../database-engine/log-shipping/about-log-shipping-sql-server.md#enforce-tls-13-encryption)
+- [Database Mail](../../database-mail/database-mail.md)
 
 ### Setup limitations
 
@@ -94,6 +95,8 @@ SQL Server 2025 introduces secure-by-default configurations for several features
 
 - **Replication**: (Transactional, Snapshot, Merge) Uses Microsoft OLE DB Driver for SQL Server version 19 with `Encrypt=Mandatory` and requires valid certificates with `TrustServerCertificate=False`.
 
+- **Database Mail**: The default settings are `Encrypt=Optional` and `TrustServerCertificate=True`. When TLS 1.3 is enforced, these values change to `Encrypt=Strict` and `TrustServerCertificate=False`. By default, Azure SQL Managed Instance uses the TLS 1.3 protocol.
+
 - **PolyBase**: Uses ODBC Driver for SQL Server version 18 with `Encrypt=Yes` (`Mandatory`). PolyBase allows `TrustServerCertificate=True` for self-signed scenarios.
 
 - **SQL VSS Writer**: When connecting to a SQL Server 2025 instance with `Encryption=Strict`, SQL VSS Writer will use TLS 1.3 and TDS 8.0 for the non-Virtual Device Interface (VDI) part of that connection.
