Javascript is required to view this page. Please visit the scanner to find out how secure an e-mail server is.

Scanning domain...

This will take a few seconds.

Something went wrong

There was an error processing your request to scan your domain. Please try again later.

How secure is your domain?

Could not connect to your domain

We couldn't connect to any of your mailservers!

Couldn't connect to your domain

We couldn't find any MX records for your domain!

Try again?

Not great.

At least one of your mailboxes doesn't support STARTTLS!

This means that when you send e-mail to this domain, anyone listening in on your network, your recipient's network, or on your domains's networks can read your e-mails, and some can even alter them!

Not great.

At least one of your mailboxes isn’t fully secured!

This means that when you send e-mail to this domain, anyone listening in on your network, your recipient's network, or on your domains's networks can read your e-mails, and some can even alter them!

Great!

Your mailserver supports STARTTLS, uses great TLS parameters, and presents a valid certificate!

Your Domain

Mailboxes

Supports STARTTLS
Does not support STARTTLS

“STARTTLS” is the command an email server sends if it wants to encrypt communications (using Transport Layer Security or “TLS”) with another email server. If your server supports STARTTLS, that means any other server that supports STARTTLS can communicate securely with it.

This checks that your email server sends the STARTTLS command correctly, as well as accepting the STARTTLS command from other servers.

Uses a secure version of TLS
Does not use a secure TLS version

TLS has changed many times over the years. Researchers have discovered security flaws in some older versions, named “SSLv2” and “SSLv3”, so technologists across the internet are working to deprecate SSLv2/3.

This checks that your email server does not allow establishing a valid TLS connection over SSLv2/3.

Presents a valid certificate
Does not present a valid certificate

On the internet, even if you think you’re talking to a service named “eff.org”, it could be an impersonator pretending to be “eff.org”. Checking a mail server’s certificate helps ensure that you really are talking to the actual service.

In order for your certificate to be valid for your email domain, it should be unexpired, chain to a valid root, and one of the names on the certificate should either match the domain (the part of an email address after the @) or the server’s hostname (the name of the server, as indicated by an MX record).

Server is up and running
Could not establish connection
We couldn’t successfully connect to this mailserver to scan it. This could be an error on our side, too. If you’re having trouble getting the scanner to work, shoot us an email at starttls-policy@eff.org.
Advertises MTA-STS policy
Does not have MTA-STS policy up

MTA-STS is a new standard for protecting mailservers’ TLS information from tampering (like STARTTLS downgrades) after the first secure discovery of MTA-STS and successful secure connection. If your server supports MTA-STS, other servers can remember and save your TLS information in the future and identify on-path attacks.

This checks that your email server advertises its own TLS information via MTA-STS, but not whether it saves other servers’ TLS information via MTA-STS.

LEARN about securing your mailserver LEARN about STARTTLS
LEARN about securing your mailserver LEARN about STARTTLS