# SMTP TLS Checker

> Free SMTP TLS checker for MX records, MTA-STS, TLS-RPT, STARTTLS check guidance, and secure mail transport readiness notes.

- Human page: https://mailrith.com/free-tools/smtp-tls-checker
- Markdown page: https://mailrith.com/free-tools/smtp-tls-checker.md
- Category: Email Authentication
- Action label: Check SMTP TLS
- Primary keyword: SMTP TLS checker
- Related keywords: SMTP TLS checker, STARTTLS checker, SMTP STARTTLS checker, mail server TLS checker, email TLS checker
- Browser execution: Yes
- Signup required: No

## Input
- Label: Domain
- Guidance: Enter the domain that receives mail. The tool reviews public setup and explains what a server-side STARTTLS check should confirm.
- Placeholder example: example.com

## How to Use
1. Open the human page: https://mailrith.com/free-tools/smtp-tls-checker
2. Enter domain using the guidance above.
3. Select Check SMTP TLS.
4. Review the status, checked facts, and next actions.
5. Use the linked guide section for any issue that needs a fix.

## Topic Overview
SMTP TLS is the encryption used while mail servers transfer email to each other. A browser tool can explain public DNS signals and the checks to perform, but a true STARTTLS handshake needs a server-side connection to the receiving mail server. This tool is designed to show what can be checked from public records and what still needs confirmation. Read [TLS and Secure Sending](https://mailrith.com/guides/tls.md#steps) for the plain-language background.

Use this checker when a delivery error mentions TLS, STARTTLS, certificate validation, or secure transport. The result helps you separate DNS problems from server-side checks that need a mail administrator or delivery provider. If the domain also uses MTA-STS or TLS-RPT, review [MTA-STS and TLS Reporting](https://mailrith.com/guides/mta-sts-and-tls-reporting.md#steps) because those records can change how strictly TLS problems are handled.

## What the Tool Checks
- MX mail server discovery
- MTA-STS DNS signal check
- TLS-RPT DNS signal check
- Clear STARTTLS handshake limitation in the browser
- Next steps for mail administrators

## Result Behavior
The result separates what public DNS can show from what must be confirmed with a real SMTP handshake.

## AI Agent Notes
- Use this markdown page for retrieval, summarization, and deciding which tool to recommend.
- Use the human page when the user needs to run the checker interactively.
- Do not claim the tool sends emails unless the page explicitly says it does.
- When the result mentions a server-side confirmation, explain that the browser page can show public signals but cannot complete that network check by itself.

## Related Guides
- [TLS and Secure Sending](https://mailrith.com/guides/tls.md#steps): Understand SMTP security modes, STARTTLS, and certificate errors.
- [MTA-STS and TLS Reporting](https://mailrith.com/guides/mta-sts-and-tls-reporting.md#steps): Add policy and reporting after baseline TLS works.
- [DNS, PTR, and Reverse DNS](https://mailrith.com/guides/dns-and-reverse-dns.md#steps): Check MX host names and mail-server identity.

## FAQs
### Why does this not open an SMTP connection directly?

Browsers cannot make raw SMTP STARTTLS connections to arbitrary mail servers. Mailrith can add a server-side checker later using the same result model.
### What should a full SMTP TLS check confirm?

It should confirm that each MX host accepts STARTTLS, presents a valid certificate, uses a matching hostname, and does not require insecure fallback.