“STARTTLS” is the command an email server sends if it wants to encrypt communications (using Transport Layer Security or “TLS”) with another email server. If your server supports STARTTLS, that means any other server that supports STARTTLS can communicate securely with it.

This checks that your email server sends the STARTTLS command correctly, as well as accepting the STARTTLS command from other servers.

TLS has changed many times over the years. Researchers have discovered security flaws in some older versions, named “SSLv2” and “SSLv3”, so technologists across the internet are working to deprecate SSLv2/3.

This checks that your email server does not allow establishing a valid TLS connection over SSLv2/3.

On the internet, even if you think you’re talking to a service named “eff.org”, it could be an impersonator pretending to be “eff.org”. Checking a mail server’s certificate helps ensure that you really are talking to the actual service.

In order for your certificate to be valid for your email domain, it should be unexpired, chain to a valid root, and one of the names on the certificate should either match the domain (the part of an email address after the @) or the server’s hostname (the name of the server, as indicated by an MX record).

MTA-STS is a new standard for protecting mailservers’ TLS information from tampering (like STARTTLS downgrades) after the first secure discovery of MTA-STS and successful secure connection. If your server supports MTA-STS, other servers can remember and save your TLS information in the future and identify on-path attacks.

This checks that your email server advertises its own TLS information via MTA-STS, but not whether it saves other servers’ TLS information via MTA-STS.