diff --git a/backend/internal/service/email_service.go b/backend/internal/service/email_service.go
index 425887cd..9cfd3bbd 100644
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -196,6 +196,14 @@ func (s *EmailService) sendMailPlain(addr string, auth smtp.Auth, from, to strin
 	}
 	defer func() { _ = client.Close() }()
 
+	// Opportunistic STARTTLS: upgrade to encrypted connection if the server supports it.
+	// This mirrors the behavior of smtp.SendMail which we replaced for timeout support.
+	if ok, _ := client.Extension("STARTTLS"); ok {
+		if err = client.StartTLS(&tls.Config{ServerName: host, MinVersion: tls.VersionTLS12}); err != nil {
+			return fmt.Errorf("starttls: %w", err)
+		}
+	}
+
 	if err = client.Auth(auth); err != nil {
 		return fmt.Errorf("smtp auth: %w", err)
 	}