Secure your email server with STARTTLS Everywhere! Your email service can be insecure in numerous different ways. The service below performs a quick check of your email server's security configuration, including whether STARTTLS and MTA-STS are supported, and whether it may qualify for the STARTTLS Policy List.

How secure is your email server?

Enter a valid email domain, the part of your email address after the @.

This tool checks whether your email domain…

Supports STARTTLS

“STARTTLS” is the command an email server sends if it wants to encrypt communications (using Transport Layer Security or “TLS”) with another email server. If your server supports STARTTLS, that means any other server that supports STARTTLS can communicate securely with it.

This checks that your email server sends the STARTTLS command correctly, as well as accepting the STARTTLS command from other servers.

Uses a secure version of TLS

TLS has changed many times over the years. Researchers have discovered security flaws in some older versions, named “SSLv2” and “SSLv3”, so technologists across the internet are working to deprecate SSLv2/3.

This checks that your email server does not allow establishing a valid TLS connection over SSLv2/3.

Presents a valid certificate

On the internet, even if you think you’re talking to a service named “eff.org”, it could be an impersonator pretending to be “eff.org”. Checking a mail server’s certificate helps ensure that you really are talking to the actual service.

In order for your certificate to be valid for your email domain, it should be unexpired, chain to a valid root, and one of the names on the certificate should either match the domain (the part of an email address after the @) or the server’s hostname (the name of the server, as indicated by an MX record).

Advertises MTA-STS policy

MTA-STS is a new standard for protecting mailservers’ TLS information from tampering (like STARTTLS downgrades) after the first secure discovery of MTA-STS and successful secure connection. If your server supports MTA-STS, other servers can remember and save your TLS information in the future and identify on-path attacks.

This checks that your email server advertises its own TLS information via MTA-STS, but not whether it saves other servers’ TLS information via MTA-STS.

If all three pass, your domain may qualify for the STARTTLS policy list!