STARTTLS Studio
Mail server tester
Every MX for your domain, probed from our server the way a sending mail server sees it: STARTTLS & implicit TLS on ports 25, 587 and 465, the certificate it presents, an open-relay test, reverse DNS, DANE and MTA-STS — graded A–F.
What this checks that a browser can't
A web page cannot open a raw SMTP connection, and both major edge networks block outbound port 25 — so a normal online checker can only read your DNS. This test runs from a real server with port-25 egress, so it actually connects to each mail server and completes the TLS handshake, reads the certificate, and safely checks whether the server would relay mail for a stranger (an open relay).
What a good result looks like
Every MX offers STARTTLS on port 25 with a publicly trusted certificate that matches its hostname, negotiates TLS 1.2 or 1.3, refuses to relay, and has valid reverse DNS (FCrDNS). Publishing MTA-STS and TLS-RPT then stops downgrade attacks and gives you reporting. For the single STARTTLS view, use the STARTTLS tester; for the whole domain, the full report.