What is STARTTLS?

How mail servers upgrade a plaintext SMTP conversation to an encrypted one — and where it falls short.

STARTTLS is an SMTP command that upgrades a plaintext mail connection to an encrypted TLS one. A receiving mail server advertises STARTTLS in its capabilities; a sending server issues the command and, if it succeeds, the rest of the conversation — including the message — is encrypted.

Opportunistic by default

Classic server-to-server mail on port 25 uses STARTTLS opportunistically: TLS is used if offered, but the sender falls back to plaintext if STARTTLS is missing or the handshake fails. That fallback is silent, which is why a network attacker can strip STARTTLS and downgrade the connection.

Closing the gap

MTA-STS and DANE turn opportunistic TLS into required TLS: they let a domain declare that senders must use STARTTLS with a valid certificate, so a stripped or mismatched connection is refused rather than silently downgraded.

What a healthy mail host looks like

STARTTLS offered on every MX host, a certificate that is in date, issued by a trusted CA, and matches the host name, and a negotiated TLS version of 1.2 or 1.3. This tool checks each of those for you.


← Back to the STARTTLS checker