Free SMTP TLS Checker & STARTTLS Tester

Test your mail server's SMTP TLS encryption instantly. Check STARTTLS support, TLS protocol versions (1.2/1.3), cipher strength, and certificate validity. Free SMTP security scanner for email servers.

Why SMTP TLS Matters

SMTP TLS encryption protects email content and credentials during transmission between mail servers.

Data Protection

Encrypts email content during server-to-server transfer

Credential Security

Protects SMTP authentication credentials

Privacy Compliance

Meets regulatory requirements for data in transit

Deliverability

Required by many providers for email acceptance

Live SMTP TLS Probe

MX Host Analysis

mail.example.com (Priority 10) TLS Supported

STARTTLS

✓ Available

TLS Version

TLS 1.3, 1.2

Certificate

✓ Valid

backup.example.com (Priority 20) Weak Config

STARTTLS

✓ Available

TLS Version

TLS 1.2, 1.1

Certificate

✓ Valid

Cipher Suite Analysis

✅ Strong Ciphers

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_AES_128_GCM_SHA256

⚠️ Weak Ciphers

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

B+

TLS Security Grade

Good configuration with room for improvement

Enter a domain above to analyze SMTP TLS configuration

TLS Protocol Security

Understanding TLS version security implications.

✅ Secure Protocols

TLS 1.3 Recommended

Latest standard with improved security and performance

TLS 1.2 Acceptable

Widely supported and secure when properly configured

❌ Insecure Protocols

TLS 1.1 Deprecated

Contains vulnerabilities, should be disabled

TLS 1.0 Insecure

Multiple known vulnerabilities, must be disabled

SSL 3.0/2.0 Broken

Completely compromised, never use

SMTP TLS Hardening Guide

Best practices for securing your mail server's TLS configuration.

Enable Strong Protocols Only

Disable TLS 1.1 and below, enable TLS 1.2 minimum:

# Postfix example
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Configure Strong Ciphers

Prefer AEAD ciphers and disable weak algorithms:

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, SRP, CAMELLIA, SEED

Certificate Best Practices

• Use certificates from trusted CAs

• Include all MX hostnames in SAN

• Use 2048-bit RSA or 256-bit ECDSA keys minimum

• Enable OCSP stapling for better performance

Related Email Security Tools

MTA-STS Checker

Enforce TLS with MTA-STS policies

TLS-RPT Generator

Monitor TLS connection reports

Deliverability Test

Complete email security audit

Run a Full Email Security Audit

Check SMTP TLS, DMARC, SPF, DKIM, and more in one scan

Run Full Deliverability Test

Frequently Asked Questions

Are TLS 1.0/1.1 still risky?

Yes, TLS 1.0 and 1.1 have known vulnerabilities and should be disabled. Use TLS 1.2 minimum, preferably TLS 1.3 for new implementations. Major browsers and email providers are phasing out support for older TLS versions.

How to prefer modern ciphers?

Configure your mail server to prioritize AEAD ciphers (AES-GCM, ChaCha20-Poly1305) and disable weak ciphers like RC4, DES, and export-grade ciphers. Use cipher suite ordering to prefer stronger algorithms.

What if STARTTLS is not available?

If STARTTLS is not available, emails will be sent unencrypted, which poses security risks. Enable STARTTLS on your mail server and ensure proper certificate configuration. Some providers may reject emails from servers without TLS support.