STARTTLS Policy List

The STARTTLS Policy List is a list of email domains who meet a minimum set of security requirements. By providing a list of email domains that support TLS encryption and present valid certificates, the STARTTLS Policy List gives mailservers another point of reference to discover whether other mailservers support STARTTLS.

You can verify the list with the corresponding PGP signature. You can also read more about a detailed specification of the list’s format.

Using the list

An abridged way for fetching and verifying the policy list might be to run the following commands in a writable directory:

gpg --dearmor public-key.txt
gpg --verify --keyring ./public-key.txt.gpg policy.json.asc policy.json

We recommend using our script, which does the above and performs more checks. If you are actively using the list, you must fetch updates at least once every 48 hours. We provide a sample cronjob to do this.

Every policy JSON has an expiry date in the top-level configuration, after which we cannot guarantee deliverability if you are using the expired list.


A domain’s policy, enforce or testing, asks that relays which connect to that domain’s MX server and cannot initiate a TLS connection to possibly abort sending and report what went wrong to the target domain. That is the behavior specified by SMTP MTA Strict Transport Security (MTA-STS), an upcoming protocol which this Policy List aims to complement by providing an alternative method for advertising a mail server’s security policy.


Our starttls-policy Python package can fetch updates to and iterate over the existing list. If you use Postfix, we provide utilities to transform the policy list into configuration parameters that Postfix understands.

We welcome contributions for different MTAs!

Submitting your domain to the list

When submitting your domain to the list through this form, you must provide and verify:


You can use our email security checker to evaluate your email domain’s eligibility for addition to the STARTTLS policy list. The requirements are that your domain:

Before adding a domain to the list, we continue to perform validation against the mailserver for at least one week. If it fails at any point, it must be resubmitted.

With that in mind, you can queue your mail domain for the STARTTLS policy list. Alternatively, you can send an email to or submit a pull request to add your domain.

Continued requirements

Failure to continue meeting these requirements could result in deliverability issues to your mailserver, from any mail clients configured to use the STARTTLS policy list.

We continue to validate all the domains on the list daily. If we notice any oddities, we will notify the contact email associated with the policy submission and urge you to either update or remove your policy.

Updating or removing your policy entry on the list

If you’re migrating email hosting, you’ll need to update the MX hostnames associated with your domain’s policy.

If you’d like to request removal from the list, or an update to your policy entry (or associated contact email), contact us at

Adding pins to the list

We also accept requests to pin intermediate certificate public keys. Although this option gives operators flexibility in trust, key pinning carries higher risks of breakage and is more difficult to do correctly. As such, these requests will be judged on a case-by-case basis.

This basis will be determined by the site operator’s understanding of the following:

We will require a form of DNS validation (to submit a TXT record for the email domain with a challenge of our choice) in order to validate that the pinning request comes from the site operator. To pin your mailserver, contact us with more information about your request at