MX health check

Per RFC 5321 + 8461 + 8689

STARTTLS probe against each MX: TLS version + cipher, SAN match, cert expiry, OCSP stapling, reverse DNS, banner disclosure.

What is this, and when do I need it?

What is this?

A one-shot health check for every MX of a mail domain. The tool opens a real SMTP connection on port 25, negotiates STARTTLS and inspects each layer: TCP latency, banner line, EHLO hostname, STARTTLS offer, negotiated TLS version + cipher, SubjectAltName match against the MX host, certificate validity window + chain length, OCSP stapling, and forward-confirmed reverse DNS (FCrDNS). Findings are split by severity: critical (STARTTLS missing, expired cert, deprecated TLS), warning (cipher choice, SAN mismatch, renewal window) and info (operator preferences like banner disclosure).

When do I need it?

Before a new MX deployment goes live, after a cert rotation, when investigating deliverability complaints, or as a quick sanity check that a partner's MX actually supports STARTTLS the way they claim.

Server path: this tool does NOT run browser-local. We resolve the MX records and open a real SMTP connection on port 25 to each MX host (STARTTLS probe + reverse DNS) from our server. We do not log the domain or the result. 12 requests per minute per IP.

Try: · · ·