Free TLS Security Checker (STARTTLS, MTA-STS, TLS-RPT)

Check TLS/STARTTLS email security configuration, validate MTA-STS enforcement, and verify TLS-RPT reporting.

TLS Security Checker

Check TLS/STARTTLS security configuration including MTA-STS and TLS-RPT

What is TLS/STARTTLS Email Security?

Overview

TLS (Transport Layer Security) and STARTTLS encrypt email transmission between mail servers, protecting messages from interception and tampering during delivery. MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption policies, while TLS-RPT (TLS Reporting) provides visibility into TLS connectivity issues and potential security threats.

How STARTTLS Works

  1. Initial Connection: Sending server connects to receiving server on port 25 (unencrypted)
  2. STARTTLS Command: Sending server issues STARTTLS command to initiate encryption
  3. TLS Negotiation: Both servers negotiate encryption protocol and exchange certificates
  4. Encrypted Channel: All subsequent SMTP commands and email data are encrypted
  5. Message Delivery: Email is transmitted securely over the encrypted connection

What is MTA-STS?

MTA-STS is a security standard that allows domain owners to declare that their mail servers support TLS encryption and should only accept encrypted connections. It protects against downgrade attacks where attackers force unencrypted delivery. MTA-STS requires:

  • A DNS TXT record at _mta-sts.yourdomain.com
  • A policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  • Valid HTTPS certificate for the policy domain

MTA-STS Policy Modes

enforce

Strictly require TLS encryption. Sending servers must not deliver if TLS fails. Recommended for production.

testing

Request TLS but allow fallback to unencrypted if TLS fails. Use for testing before full enforcement.

none

Disable MTA-STS policy. Used to deactivate a previously published policy.

What is TLS-RPT?

TLS-RPT (TLS Reporting) is a mechanism for receiving daily reports about TLS connectivity issues. When sending servers encounter TLS problems delivering to your domain, they send aggregate reports to the address you specify in your TLS-RPT DNS record. This helps you:

  • Monitor TLS adoption and connectivity health
  • Detect certificate expiration or misconfiguration
  • Identify potential man-in-the-middle attacks
  • Track MTA-STS policy compliance and failures

Why TLS Security Matters

  • Privacy Protection: Prevents eavesdropping on email content during transmission
  • Data Integrity: Ensures messages aren't modified in transit
  • Compliance: Required by regulations like GDPR, HIPAA, and PCI-DSS for sensitive data
  • Reputation: Major providers favor senders with proper TLS configuration
  • Attack Prevention: Protects against downgrade attacks and certificate spoofing

Implementing MTA-STS

Step-by-Step Setup

  1. Ensure TLS Support: Verify all your MX servers support STARTTLS with valid certificates
  2. Create Policy File: Host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  3. Start with Testing Mode: Set mode to "testing" initially to monitor without breaking delivery
  4. Add DNS Record: Create _mta-sts.yourdomain.com TXT record with policy ID
  5. Configure TLS-RPT: Add _smtp._tls.yourdomain.com TXT record with reporting email
  6. Monitor Reports: Review TLS-RPT reports for issues over 2-4 weeks
  7. Switch to Enforce: Update policy file to mode=enforce once confident
  8. Update DNS: Increment policy ID in DNS record to notify senders of changes

Best Practices

  • Use valid, non-expired certificates from trusted certificate authorities
  • Support TLS 1.2 or higher (disable SSLv2, SSLv3, TLS 1.0, TLS 1.1)
  • Implement both MTA-STS and TLS-RPT together for maximum visibility
  • Set MTA-STS max_age to at least 86400 seconds (1 day) in production
  • Monitor TLS-RPT reports regularly for connectivity issues
  • Keep certificates up to date and renew before expiration
  • Use strong cipher suites and modern TLS configurations