What is this?
A one-shot health check for every MX of a mail domain. The tool opens a real SMTP connection on port 25, negotiates STARTTLS and inspects each layer: TCP latency, banner line, EHLO hostname, STARTTLS offer, negotiated TLS version + cipher, SubjectAltName match against the MX host, certificate validity window + chain length, OCSP stapling, and forward-confirmed reverse DNS (FCrDNS). Findings are split by severity: critical (STARTTLS missing, expired cert, deprecated TLS), warning (cipher choice, SAN mismatch, renewal window) and info (operator preferences like banner disclosure).
When do I need it?
Before a new MX deployment goes live, after a cert rotation, when investigating deliverability complaints, or as a quick sanity check that a partner's MX actually supports STARTTLS the way they claim.