How to Test if a Mail Server Supports STARTTLS

If you need to test whether a mail server supports STARTTLS, use command-line verification plus release-gate tests.

Quick answer

A server supports STARTTLS when:

1. it advertises STARTTLS in EHLO capabilities
2. it returns 220 after the STARTTLS command
3. TLS handshake succeeds and SMTP session can continue securely

Method 1: OpenSSL one-liner

Use OpenSSL for a direct STARTTLS probe:

openssl s_client -starttls smtp -connect smtp.example.com:587 -crlf -quiet

What success looks like:

• certificate chain and negotiated TLS details are shown
• server accepts post-handshake EHLO
• SMTP commands proceed without plaintext downgrade

Method 2: Capability check before upgrade

You can inspect capabilities manually:

EHLO app.example.com
250-smtp.example.com
250-STARTTLS
250-AUTH LOGIN PLAIN

If 250-STARTTLS is missing, STARTTLS is not available on that endpoint/port.

Method 3: End-to-end STARTTLS session probe

S: 220 smtp.example.com ESMTP ready
C: EHLO app.example.com
S: 250-STARTTLS
C: STARTTLS
S: 220 Ready to start TLS
... TLS handshake ...
C: EHLO app.example.com
S: 250-AUTH LOGIN PLAIN

Important: after TLS negotiation, run EHLO again to refresh capability negotiation in encrypted mode.

Common STARTTLS test failures

530 Must issue STARTTLS first

Server requires TLS before auth. Enable STARTTLS in client config.

Handshake fails with certificate errors

Certificate chain, hostname, or trust-store mismatch.

STARTTLS not advertised on selected port

Wrong endpoint or port. Validate provider docs and transport mode.

Auth works locally but fails in production

Environment mismatch in port/TLS settings, auth policy, or network egress controls.

STARTTLS validation checklist for release gates

1. Confirm EHLO capability includes STARTTLS.
2. Confirm STARTTLS returns 220.
3. Confirm cert validity and hostname match.
4. Confirm post-TLS EHLO + AUTH flow works.
5. Confirm send/receive assertions in staging and CI.

Use these routes for full workflow validation:

• SMTP authentication
• SMTP ports explained
• SMTP commands and responses
• Email integration testing
• Email deliverability test

FAQ

Is STARTTLS the same as SMTPS?

No. STARTTLS upgrades a plaintext session; SMTPS starts encrypted immediately (commonly port 465).

Should I use STARTTLS on port 465?

Usually no. Port 465 typically expects implicit TLS, not STARTTLS upgrade.

Is capability advertisement enough to trust transport security?

No. You must also verify TLS handshake, certificate validity, and post-handshake SMTP behavior.

Next steps

• STARTTLS vs SSL/TLS
• Fixing SMTP 550 errors
• Test SMTP servers with Telnet