STARTTLS Policy List

The STARTTLS Policy List is a list of email domains who meet a minimum set of security requirements. By providing a list of email domains that support TLS encryption and present valid certificates, the STARTTLS Policy List gives mailservers another point of reference to discover whether other mailservers support STARTTLS.

The list is hosted here, and the corresponding signature is here.

Here is a detailed specification of the list’s format.

Using the list

To download and verify the most up-to-date version of the STARTTLS policy list:

wget https://dl.eff.org/starttls-everywhere/policy.json
wget https://dl.eff.org/starttls-everywhere/policy.json.asc
gpg --recv-key B693F33372E965D76D55368616EEA65D03326C9D
gpg --trusted-key 842AEA40C5BCD6E1 --verify policy.json.asc

Our sample update_and_verify.sh script does the same. If you are actively using the list, you must fetch updates at least once every 48 hours. We provide a sample cronjob to do this.

Every policy JSON has an expiry date in the top-level configuration, after which we cannot guarantee deliverability if you are using the expired list.

Tooling

Our starttls-policy Python package can fetch updates to and iterate over the existing list. If you use Postfix, we provide utilities to transform the policy list into configuration parameters that Postfix understands.

We welcome contributions for different MTAs!

Submitting your domain to the list

When submitting your domain to the list through this form, you must provide and verify:

Validation

You can use our email security checker to evaluate your email domain’s eligibility for addition to the STARTTLS policy list. The requirements are that your domain:

Before adding a domain to the list, we continue to perform validation against the mailserver for at least one week. If it fails at any point, it must be resubmitted.

With that in mind, you can queue your mail domain for the STARTTLS policy list. Alternatively, you can send an email to starttls-policy@eff.org or submit a pull request to add your domain.

Continued requirements

Failure to continue meeting these requirements could result in deliverability issues to your mailserver, from any mail clients configured to use the STARTTLS policy list.

We continue to validate all the domains on the list daily. If we notice any oddities, we will notify the contact email associated with the policy submission and urge you to either update or remove your policy.

Updating or removing your policy entry on the list

If you’re migrating email hosting, you’ll need to update the MX hostnames associated with your domain’s policy.

If you’d like to request removal from the list, or an update to your policy entry (or associated contact email), contact us at starttls-policy@eff.org

Adding pins to the list

We also accept requests to pin intermediate certificate public keys. Although this option gives operators flexibility in trust, key pinning carries higher risks of breakage and is more difficult to do correctly. As such, these requests will be judged on a case-by-case basis.

This basis will be determined by the site operator’s understanding of the following:

We will require a form of DNS validation (to submit a TXT record for the email domain with a challenge of our choice) in order to validate that the pinning request comes from the site operator. To pin your mailserver, contact us with more information about your request at starttls-policy@eff.org.