STARTTLS Studio
SMTP STARTTLS tester
Check whether a mail server offers STARTTLS and negotiates a modern, trusted, encrypted connection — the way a sending server sees it.
What STARTTLS is
SMTP starts as a plaintext conversation. STARTTLS is the command a mail server advertises to say “we can upgrade this connection to TLS”. If a server does not offer it, mail to and from it travels in the clear and can be read on the wire.
What we test
For each of a domain’s MX hosts, we connect over SMTP, check that STARTTLS is offered, complete the TLS handshake, and read the certificate: who issued it, whether it is currently valid, whether it matches the mail host, and which TLS version and protocols were negotiated.
Why it matters
STARTTLS protects mail in transit between servers. Combined with MTA-STS — which makes senders require it — it closes the plaintext-fallback gap. This tool shows you the raw capability of each mail host so you can see exactly what a sending server would find.
Frequently asked
Is STARTTLS the same as SMTPS?
No. STARTTLS upgrades an existing plaintext SMTP connection (commonly port 25 or 587) to TLS. SMTPS uses TLS from the first byte on a dedicated port (465). Both give an encrypted session; STARTTLS is what server-to-server mail on port 25 uses.
Why can a certificate be valid but still flagged?
A certificate can be in date and trusted yet not match the mail host name it is served on. Sending servers that enforce strict TLS (via MTA-STS or DANE) will reject a mismatched certificate, so we call it out.
Which port does this check?
Server-to-server delivery uses port 25 with STARTTLS, which is what this tool tests against your MX hosts. It is the path other mail servers actually use to reach you.