STARTTLS Checker

Learn how STARTTLS encrypts email in transit and what TLS versions your mail servers should support.

What is STARTTLS?

STARTTLS is an email protocol extension that upgrades a plain text connection to an encrypted one using Transport Layer Security (TLS). When two mail servers communicate, they initially connect over an unencrypted channel. The sending server then issues the STARTTLS command, and if supported, both servers negotiate a secure TLS connection before transmitting any email content.

Opportunistic Encryption

STARTTLS provides what's known as opportunistic encryption. This means encryption is used when available but isn't mandatory. If a receiving server doesn't support STARTTLS or the TLS negotiation fails, the email may still be sent unencrypted. While this approach ensures email delivery, it leaves messages vulnerable to interception by attackers who can strip the STARTTLS capability from the connection—a technique called a downgrade attack.

To enforce encryption and prevent downgrade attacks, consider implementing MTA-STS alongside STARTTLS. MTA-STS tells sending servers that your domain requires TLS encryption, preventing fallback to unencrypted transmission.

TLS Versions Matter

Not all TLS is created equal. Older versions have known vulnerabilities:

  • TLS 1.0 and 1.1: Deprecated due to security weaknesses. Major email providers are phasing out support.
  • TLS 1.2: Currently the minimum recommended version, widely supported and secure.
  • TLS 1.3: The latest standard offering improved security and faster handshakes.

Mail servers should disable TLS 1.0 and 1.1, accepting only TLS 1.2 or higher. Our checker verifies which TLS version your mail servers negotiate and flags deprecated versions.

What We Check

MailHealth's STARTTLS checker connects to your MX servers and verifies:

  • Whether STARTTLS is offered during the SMTP handshake
  • The TLS version negotiated (flagging deprecated versions)
  • Certificate validity and expiration dates

Properly configured STARTTLS is essential for protecting email content in transit. Combined with MTA-STS and TLS-RPT reporting, you can ensure your email infrastructure uses modern encryption standards.

Ready to Check Your Domain?

Get a free, instant email deliverability report for your domain.

Check Your Domain