be Smart.
be Secure.
Phone: 800-441-6612

How to Tell Who Supports SMTP TLS for Email Transmission

SMTP TLS (Transport Layer Security) is the mechanism by which two email servers, when communicating, can automatically negotiate an encrypted channel between them so that the emails transmitted are secured from eavesdroppers.

It is becoming ever more important to use a company that supports TLS for email transmission as more and more banks, health care, and other organizations who have any kind of security policy are requiring their vendors and clients to use this type of encryption for emailed communications with them. Additionally, if your email provider supports TLS for email transmission, and you are communicating with people whose providers do also, then you can be reasonably sure that all of the email traffic between you and them will be encrypted.

How do you find out if someone to whom you are sending email uses a provider who’s servers support TLS-encrypted communications? We will take you through the whole process step-by-step, but first let us note some 6 important truths about TLS connection encryption.

  1. The use of TLS encryption is negotiated/determined each and every time two servers connect to each other to transmit your email.
  2. Just because a server supports TLS today, does not mean that it will tomorrow — server configurations can change and mistakes can be made. There are ways, however, to ensure that an email will never be sent to someone without TLS — see Enforcing Email Security with TLS when Communicating with Banks.
  3. If your email is passed between more than one server, then the security of each server-to-server connection along the way needs to be negotiated separately.
  4. Only the recipient’s externally facing email servers can be checked for TLS support. There is no way of checking the back-end servers of a service provider’s email system to make sure TLS is supported all the way to delivery to the recipient’s mailbox.
  5. Even if the sender’s email servers and the recipient’s email servers are configured to use TLS, both parties still need to configure their email clients to connect securely to their respective servers (for the initial sending of the message, and for the final download and viewing of the message) in order to ensure that the email message is transmitted securely during its entire trek from sender to receiver.
  6. There is no automated way to see if a specific company’s outbound email will use TLS.  You can only check their inbound email TLS support.

First: a Little Bit about DNS: MX Records

To start off, we need to know a little bit about DNS (The Domain Name System). DNS is what tells the world “address information” about your domain name (kind of like a phone book for domain names), from where to find the web server hosting the domain’s associated webpage, to what inbound servers accept email sent to the email addresses of your domain. DNS information is split into many categories, such as “A records”, “CNAME records”, and “MX records”. For the purpose of this article we need only be concerned with the MX records (Mail eXchange records).

A domain’s MX records are a list of all the email servers that can accept inbound email sent to the email addresses of that domain. By querying the DNS MX records for a domain, you can discover what servers handle its inbound email. For instance, if I wanted to know what email servers receive and handle inbound email for “” I would perform a DNS query for the MX records of the domain “”.

Once we have determined the names of the inbound email servers associated with the domain of the email address to which you want to send email, you will need to connect to each one of these servers individually and ask them if they support TLS encryption. Mail servers do this by starting an SMTP connection with a server found in the MX records of the recipient’s domain and then issuing a command called “elho”. Once the “elho” command is given to the recipient’s server it will send back the list of the options that it supports. If you see “STARTTLS” in the list of options supported, then the server does support TLS.

Getting a Command Prompt

To query the DNS settings for the MX records of the recipient’s domain you will first need to know how to bring up your “command prompt”. This varies between operating systems:

  • For Windows XP, Vista and 7, you will need to click on your start button and go to “All Programs” and then “Accessories” where you will click on “Command Prompt”.
  • For Windows 8: Swipe up to show the Apps screen. You can accomplish the same thing with a mouse by clicking on the down arrow icon at the bottom of the screen.  Note: Prior to the Windows 8.1 update, the Apps screen can be accessed from the Start screen by swiping up from the bottom of the screen, or right-clicking anywhere, and then choosing All apps. Now that you’re on the Apps screen, swipe or scroll to the right and locate the Windows System section heading. Under Windows System, press or click on Command Prompt.
    A new Command Prompt window will open on the Desktop.
  • For Linux users you should check the documentation for your distribution if you don’t know where your terminal program is located.
  • For Mac users, you will want to use the “Terminal” application found under “Application > Utilities”.

The Query

Windows: DNS Query using “nslookup”

If you use Windows then you are going to use the program “nslookup” to query the DNS settings of the domain in question. At the command prompt you will type “nslookup” and hit “Enter” to start the program’s interactive mode. You should now see a “>” as your prompt. At this prompt type “set a=mx“, press “Enter”, then type the domain name you want to query and press “Enter” again. Once you have finished you will need to type “quit” and press “Enter” to exit nslookup. Here is an example with the results:

Default Server: UnKnown

> set q=mx
Server: UnKnown

Non-authoritative answer: MX preference = 10, mail exchanger = MX preference = 15, mail exchanger = MX preference = 20, mail exchanger = MX preference = 25, mail exchanger =

The last portion of each line following “exchanger =”, such as “” is the server name for an inbound email server that will be used by this domain. When you send email to an email address ending in “” it is possible that any one of these servers could be the one that processes the email you sent.

Mac and Linux: DNS Query using “dig”

For Mac OSX and Linux you will be using a command line tool called “dig” which has the following format: “dig +short doman_name mx”  (the “+short” eliminates a lot of unneeded textual output). Here is an example with the results:

support$ dig +short mx





The last portion of each line, such as “” (without the trailing period) is the name of an email server the will be used by this domain.  When you send email to an email address ending in “” it is possible that any one of this servers could be the one that processes the email you sent.

Checking support for TLS

The final step is done using a program called “telnet”, which is another command prompt utility that exists in all of the operating systems that we have mentioned. Telnet will be used to simulate the SMTP connection to the server; once connected, we will issue the ”ehlo” command. If the server supports TLS encryption then we will see “250-STARTTLS” in the list of supported options.

The following steps will need to be repeated for every server provided by your query for MX records. To use the Telnet program type, “telnet server_name 25”, replacing “server_name” with the name of a mail server from your DNS query and press “Enter“. (25 is the standard SMTP port at which that all public inbound email servers must be listening for connections). A few lines will appear, the last starting with “220” and containing the date.

support$ telnet 25


Connected to

Escape character is ‘^]’.

220 ESMTP mxl_mta-8.2.0-3 [2ac5dfc25940.177057.00-540]; Tue, 27 Jan 2015 08:42:14 -0700 (MST); NO UCE, INBOUND (


Now type “ehlo” followed by a domain name, your own domain name will work fine, and press “Enter“. If you see within the results the line, “250-STARTTLS”, then that email server is configured to support use of TLS. Here is a full example:


250-SIZE 0





Once again you will need to repeat this telnet step for each email server listed in the MX records to be sure that TLS support is enabled on all servers processing email for email address in that domain.

Advanced: Checking TLS Protocol and Ciphers

The telnet test described above only checks to see if the server advertises SMTP TLS support.  This is not quite good enough to get the full picture.

  1. That support could be broken, so that any attempt to actually use TLS fails,
  2. It does not address what versions of the TLS (or SSL) protocol are supported, nor what Ciphers are available for encryption.

For example, if your mail servers are configured to use only TLS configurations considered “secure”, but your recipient’s servers have only support for old, insecure TLS (e.g. SSL v3 only), then you your servers will not be able to talk TLS together.

In order to actually test if the recipient servers TLS is working and that it supports strong encryption, you can use the “openssl” command line tool.  In this example, we will use openssl at the Linux / Mac command line and check and see if the server supports SMTP TLS with the TLS v1.0+ protocol and the AES 256 Cipher “AES256-SHA“:

openssl s_client -starttls smtp  -no_ssl3 -no_ssl2 -cipher “AES256-SHA” -connect

If you get a successful connection, which we do in this case, you will get the beginning of an SMTP dialog (similar to a telnet connection, but now secure), and you can perform an “ehlo” or issue other SMTP commands.

If the connection fails, you will get some kind of error message, perhaps indicating that TLS cannot be negotiated.  This would indicate that you cannot speak TLS with this server using TLS v1.0+ and this cipher.

To check if TLS v1.0+ and any of the recommended strong ciphers are supported, you would modify the above example to include all allowed ciphers:



Use of TLS is good practice and secure when you know that it is implemented through the entire chain of delivery. However if security is your top requirement then encrypting the email itself before sending it is the most secure option.  This can be done, for example, using PGP or S/MIME or other products that support these and other encryption mechanisms in an integrated format.

SMTP TLS Lookup Tool: LuxSci provides a free tool that does all of these steps for your, including checking for HIPAA-compliant strong TLS support.  Use our TLS Checker tool to see if all of the MX records for any domain support TLS or not.

4 Responses to “How to Tell Who Supports SMTP TLS for Email Transmission”

  1. How You Can Tell if an Email Was Transmitted Using TLS Encryption? | LuxSci FYI Says:

    […] in question.  However, it requires some knowledge and experience.  It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely […]

  2. How Does Secure Socket Layer (SSL) Work? | LuxSci FYI Says:

    […] How to Tell Who Supports TLS for Email Transmission […]

  3. Secure TLS Email for Bank of America Partners | LuxSci FYI Says:

    […] email servers must support opportunistic TLS encryption for all inbound email […]

  4. SMTP TLS: All About Secure Email Delivery over TLS | LuxSci FYI Says:

    […] to be used at all, the destination email server must support and advertise support for TLS (see: How to Tell Who Supports TLS for Email Transmission) and the sending server must be configured to use TLS connections when […]

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries