Does not support STARTTLS
“STARTTLS” is the command an email server sends if it wants to encrypt communications (using Transport Layer Security or “TLS”) with another email server. If your server supports STARTTLS, that means any other server that supports STARTTLS can communicate securely with it.
This checks that your email server sends the STARTTLS command correctly, as well as accepting the STARTTLS command from other servers.
Uses a secure version of TLS
Does not use a secure TLS version
TLS has changed many times over the years. Researchers have discovered security flaws in some older versions, named “SSLv2” and “SSLv3”, so technologists across the internet are working to deprecate SSLv2/3.
This checks that your email server does not allow establishing a valid TLS connection over SSLv2/3.
Presents a valid certificate
Does not present a valid certificate
On the internet, even if you think you’re talking to a service named “eff.org”, it could be an impersonator pretending to be “eff.org”. Checking a mail server’s certificate helps ensure that you really are talking to the actual service.
In order for your certificate to be valid for your email domain, it should be unexpired, chain to a valid root, and one of the names on the certificate should either match the domain (the part of an email address after the @) or the server’s hostname (the name of the server, as indicated by an MX record).
Server is up and running
Could not establish connectionWe couldn’t successfully connect to this mailserver to scan it. This could be an error on our side, too. If you’re having trouble getting the scanner to work, shoot us an email at email@example.com.
Advertises MTA-STS policy
Does not have MTA-STS policy up
MTA-STS is a new standard for protecting mailservers’ TLS information from tampering (like STARTTLS downgrades) after the first secure discovery of MTA-STS and successful secure connection. If your server supports MTA-STS, other servers can remember and save your TLS information in the future and identify on-path attacks.
This checks that your email server advertises its own TLS information via MTA-STS, but not whether it saves other servers’ TLS information via MTA-STS.