STARTTLS Studio

Mail server tester

Every MX for your domain, probed from our server the way a sending mail server sees it: STARTTLS & implicit TLS on ports 25, 587 and 465, the certificate it presents, an open-relay test, reverse DNS, DANE and MTA-STS — graded A–F.

Probes every MX on ports 25, 587 and 465 from our server — checks the edge can't run.

What this checks that a browser can't

A web page cannot open a raw SMTP connection, and both major edge networks block outbound port 25 — so a normal online checker can only read your DNS. This test runs from a real server with port-25 egress, so it actually connects to each mail server and completes the TLS handshake, reads the certificate, and safely checks whether the server would relay mail for a stranger (an open relay).

What a good result looks like

Every MX offers STARTTLS on port 25 with a publicly trusted certificate that matches its hostname, negotiates TLS 1.2 or 1.3, refuses to relay, and has valid reverse DNS (FCrDNS). Publishing MTA-STS and TLS-RPT then stops downgrade attacks and gives you reporting. For the single STARTTLS view, use the STARTTLS tester; for the whole domain, the full report.