Summary
Testing inbound STARTTLS involves various methods, ranging from user-friendly online tools to command-line utilities that provide detailed control. Online tools like CheckTLS, MXToolbox, and Wormly offer easy checks. Command-line methods include OpenSSL's `s_client`, SWAKS, and manual Telnet connections. Nmap provides the `smtp-starttls.nse` script for automated testing. The core recommendation across many sources is to use OpenSSL with the command `openssl s_client -starttls smtp -connect your_server:25`. Certificate verification with `-verify 9` and analyzing server responses are important aspects of comprehensive testing.
Key findings
- OpenSSL is Key: The `openssl s_client` command is a frequently cited and powerful tool for STARTTLS testing, allowing for deep inspection of the connection.
- Online Tools Offer Convenience: CheckTLS, MXToolbox, and Wormly provide simpler, web-based alternatives for quick checks.
- Manual Testing with Telnet: Telnet allows for manual interaction with the server, sending EHLO and STARTTLS commands to observe the server's behavior.
- SWAKS as an alternative: SWAKS can be used as an alternative to openssl
Key considerations
- Certificate Verification: Always verify the server's certificate for trust and validity, using options like `-verify 9` in OpenSSL.
- Level of Detail: Choose a testing method that provides the necessary level of detail, balancing ease-of-use with in-depth analysis capabilities.
- Understanding Server Responses: Interpreting server responses during the STARTTLS negotiation process is essential to identify potential problems.
- Nmap Automates: Nmap provides automation, but understanding of the process is needed to be effective
What email marketers say
7 marketer opinions
Testing inbound STARTTLS with a given external IP address can be achieved using various methods. Online tools like CheckTLS and MXToolbox offer automated checks. Command-line tools like OpenSSL and Telnet provide more granular control, allowing manual negotiation and inspection of the TLS handshake. OpenSSL's `s_client` command is frequently recommended with variations for certificate verification. Telnet involves manually connecting, sending EHLO, then STARTTLS, and observing the server's response.
Key opinions
- Online Tools: CheckTLS, MXToolbox, and Wormly provide user-friendly interfaces for STARTTLS testing.
- OpenSSL: The `openssl s_client` command with the `-starttls smtp` option is a powerful method for testing and diagnosing STARTTLS connections.
- Telnet: Manual testing with Telnet involves connecting to port 25, issuing 'EHLO', and then 'STARTTLS' to observe the server's response.
Key considerations
- Certificate Verification: When using OpenSSL, consider using the `-verify` option to check the validity of the server's certificate.
- Granularity vs. Ease of Use: Online tools offer convenience, while command-line tools provide greater control and detailed information.
- Server Response Analysis: Understanding the server's responses during the STARTTLS negotiation is crucial for identifying potential issues.
Marketer view
Email marketer from MXToolbox shares that MXToolbox offers a STARTTLS test tool where you can enter a domain name or IP address and it will check if the server supports and properly implements STARTTLS.
26 Jan 2022 - MXToolbox
Marketer view
Email marketer from Reddit explains that you can manually test STARTTLS using telnet by connecting to port 25, issuing the EHLO command, then the STARTTLS command, and observing the server's response to verify support.
13 Mar 2024 - Reddit
What the experts say
3 expert opinions
All provided answers recommend using OpenSSL's `s_client` command to test inbound STARTTLS. The command `openssl s_client -starttls smtp -connect your_server:25` is the base suggestion, allowing inspection of ciphers and other details. Removing the `-brief` flag provides even more information. Word to the Wise provides context around the command and interprets results.
Key opinions
- OpenSSL s_client: `openssl s_client -starttls smtp -connect your_server:25` is the primary recommended tool.
- Information Detail: Removing `-brief` provides a more verbose output of the STARTTLS handshake.
Key considerations
- Understanding Output: Interpreting the output from OpenSSL requires some technical knowledge; resources like the Word to the Wise article provide helpful context.
- Verbosity: Balance the need for detailed information with the readability of the output by choosing whether or not to use `-brief`.
Expert view
Expert from Email Geeks shares that if you need more info than swaks gives you, then you can use `openssl s_client -brief -starttls smtp -connect ip_address:25` to get detailed information about the ciphers used and so on. Removing `-brief` will give you far more information.
22 Mar 2022 - Email Geeks
Expert view
Expert from Email Geeks provides an example of using openssl to test inbound starttls. They also link to a resource with further information <https://wordtothewise.com/2023/10/can-you-starttls/>.
9 Jan 2025 - Email Geeks
What the documentation says
3 technical articles
The provided documentation references three tools for testing inbound STARTTLS: SWAKS, OpenSSL's `s_client`, and Nmap's `smtp-starttls.nse` script. SWAKS uses the `--server` and `--tls` options. OpenSSL's `s_client` uses the `-starttls smtp` option. Nmap utilizes a dedicated NSE script to automatically test STARTTLS support.
Key findings
- Multiple Tools: Various tools exist for STARTTLS testing, including SWAKS, OpenSSL, and Nmap.
- SWAKS Options: SWAKS leverages the `--server` and `--tls` options for STARTTLS testing.
- OpenSSL Option: OpenSSL's `s_client` utilizes the `-starttls smtp` option to initiate the STARTTLS handshake.
- Nmap Script: Nmap provides the `smtp-starttls.nse` script for automated STARTTLS testing.
Key considerations
- Tool Selection: Choose the appropriate tool based on the desired level of control, automation, and available system resources.
- Syntax and Options: Familiarize yourself with the specific syntax and options required by each tool for effective STARTTLS testing.
- Interpretation of Results: Understand how to interpret the results provided by each tool to accurately assess STARTTLS support and configuration.
Technical article
Documentation from Jetmore.org explains that SWAKS (Swiss Army Knife for SMTP) can be used to test STARTTLS by specifying the server address and port with the `--server` option, and enabling TLS with `--tls`. It also details options for specifying the TLS version.
9 Mar 2024 - Jetmore.org
Technical article
Documentation from Nmap explains that the `smtp-starttls.nse` script can be used to check if a mail server supports STARTTLS. The script attempts to negotiate a STARTTLS connection and reports if it succeeds or fails.
14 Jun 2025 - Nmap
Can a dedicated IP address be configured to identify email as transactional?
Can I use DMARC with shared IP addresses?
Can you rely on the From address when receiving mailto unsubscribes?
Does a sending IP address need to accept incoming SMTP connections for email deliverability?
Does using TLS matter for email deliverability or inbox placement?
How can I contact BT Internet about deliverability issues and what should I expect?
How can I test email deliverability to mailboxes protected by Mimecast?
How do I check if the sending IP address matches the IP address of the hostname specified in the Pointer (PTR) record?
How do I perform a reverse DNS lookup and interpret the results?
How does TLS inbound affect email deliverability and sender confidence?
What services can I use to test email deliverability and simulate bounce responses?
