UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

SMTP Server Test

Connect to any SMTP host on port 25 (or a custom port), capture the banner, send EHLO, and verify whether STARTTLS is advertised.

About SMTP Server Test

The SMTP Server Test opens a TCP socket to a mail-exchanger host on port 25 (or 465 SMTPS, 587 submission, or any custom port), reads the greeting banner, sends EHLO utilitykit.tools, and inspects the response capability list. The most important capability is STARTTLS — without it, mail to and from this server travels unencrypted across the public internet, exposing message content and any authentication credentials to passive eavesdroppers. The tool returns the resolved IP, port, round-trip time, raw banner, multi-line EHLO response, and a complete client/server transcript color-coded by direction. It does not actually upgrade to TLS or send any mail — the test stops at observing STARTTLS support and issues QUIT cleanly.

Why use SMTP Server Test

  • Confirms STARTTLS is advertised — required for modern, encrypted mail transport.
  • Captures the banner so you can verify hostname, software (Postfix, Exim, Exchange, Sendgrid), and reverse DNS hint.
  • Returns full client/server transcript so you can debug at the protocol level.
  • Reports round-trip time so you can detect slow MTAs from the public internet.
  • Runs from our backend with strict timeouts — no need to install netcat or telnet locally.
  • Pairs with the MX Record Lookup, RBL Blacklist Check, and Email Header Analyzer for deliverability triage.

How to use SMTP Server Test

  1. Enter the SMTP host — usually an MX record from the recipient's DNS (mail.example.com).
  2. Choose a port — 25 for inbound MX, 465 for SMTPS, 587 for submission, or any custom port.
  3. Click Test SMTP to open the TCP socket and run the EHLO/STARTTLS handshake.
  4. Confirm the banner returns a 220 reply and matches the expected hostname.
  5. Verify STARTTLS appears in the EHLO response — the green badge means yes.
  6. Inspect the full transcript for any 4xx/5xx replies that explain rejected mail.

When to use SMTP Server Test

  • When onboarding a new self-hosted MTA (Postfix, Exim, Exchange) and verifying inbound reachability.
  • When third-party senders complain that mail to your domain bounces — confirm your MX is reachable.
  • After enabling STARTTLS on a Postfix or Exchange server — verify it advertises in EHLO.
  • When debugging 4xx/5xx replies during the SMTP handshake from an outside network.
  • When migrating between cloud regions and you want to confirm the new MTA accepts connections.
  • While building monitoring runbooks that should alert on STARTTLS regression.

Examples

Healthy STARTTLS mail server

Input: aspmx.l.google.com:25

Output: Banner: 220 mx.google.com ESMTP · STARTTLS supported · 78ms

STARTTLS missing (security risk)

Input: legacy.example:25

Output: Banner: 220 legacy.example.com ready · STARTTLS NOT supported · 142ms

Connection refused (firewall or down)

Input: no-mta.example:25

Output: Error: ECONNREFUSED — server is not accepting connections on port 25

Tips

  • Port 25 is for server-to-server (MX). Port 587 is for client submission. Port 465 is implicit-TLS submission.
  • Most cloud providers block outbound port 25 by default — if you can't reach an MX, that may be why.
  • STARTTLS is opportunistic by default — strict TLS requires MTA-STS or DANE policy on top.
  • If you see no STARTTLS line, configure smtpd_tls_security_level=may in Postfix or equivalent in your MTA.
  • A banner line beginning 421 means the server is too busy or rejecting your connection — check rate limits and IP reputation.

Frequently Asked Questions

Is the queried host or transcript sent to a third party?
No. The TCP connection runs from our backend directly to the host you specify. The transcript is returned to your browser and is not stored. The destination MTA does see the connection, since that's how SMTP works.
How does this compare to mxtoolbox's SMTP test?
Functionally similar — both open a socket, EHLO, and check STARTTLS. Ours returns a full transcript and is free with no signup. We don't run extended deliverability scoring; for that, pair with our RBL Blacklist Check and Email Header Analyzer.
Why don't you actually upgrade to TLS during the test?
Recording STARTTLS support in EHLO is the practical baseline. Performing the actual TLS handshake and inspecting the cipher would also work but adds latency — that's a future cipher-grade tool.
Can this detect a misconfigured MX or Postfix?
It detects banner mismatches, missing STARTTLS, and protocol errors visible at the EHLO stage. It does not run mailer-daemon checks beyond that — for full envelope-from to RCPT TO testing, we'd need to send a real message, which we deliberately don't.
What does 'STARTTLS not supported' mean for my server?
Mail to and from this server travels unencrypted. Anyone on the network path can read message content and any plaintext credentials. Configure smtpd_tls_security_level=may in Postfix, or the equivalent in Exchange/Sendmail/Exim.
Why is port 25 blocked from my home internet?
Most consumer ISPs and many cloud providers block outbound port 25 to limit spam from compromised hosts. You can usually use port 587 with authenticated submission instead.
What does the EHLO response actually contain?
A multi-line list of capabilities — STARTTLS, AUTH, PIPELINING, SIZE, 8BITMIME, etc. Receivers learn what the server supports before they negotiate authentication and TLS.
Does this consume any rate-limit budget at the destination?
It opens one TCP connection and exchanges 3-4 lines of SMTP, then issues QUIT. Most MTAs are fine with this volume; if you suspect rate-limiting, check the 421 banner.

Explore the category

MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. RBL Blacklist Check Check an IPv4 address against four major DNS-based blocklists in parallel — Spamhaus ZEN, SpamCop, Barracuda, and SORBS — and surface delisting hints. Email Header Analyzer Summarize Received chains and auth hints from pasted headers. SPF Record Checker Look up and parse a domain's SPF DNS record. Validates mechanisms, counts DNS lookups against the RFC 7208 ten-lookup limit, and flags soft/hard fail qualifiers. DMARC Record Checker Look up the DMARC TXT record at _dmarc.<domain>, parse every tag (p, sp, pct, rua, ruf, adkim, aspf), and flag missing aggregate report addresses or partial enforcement. Open Port Checker Run a single TCP connect-test from our backend to confirm whether one port on a public host is open, closed, or filtered. Common-port presets included.

Glossary

SMTP
Simple Mail Transfer Protocol — RFC 5321 — the on-the-wire protocol mail servers use to deliver messages to one another.
SMTP banner
The 220 greeting an SMTP server sends right after a TCP connection is accepted. Usually contains hostname and software.
EHLO / HELO
The client's greeting after the banner. EHLO is the modern extended form; HELO is legacy. Servers respond with their capability list.
STARTTLS
RFC 3207 — an SMTP extension that lets a plaintext connection upgrade to TLS mid-session. Without it, mail and credentials travel unencrypted.
Port 25
The standard MX-to-MX SMTP port. Many cloud providers block outbound 25 by default to limit spam, which is why egress tests often fail.
Port 587 (submission)
RFC 6409 — port for authenticated client-to-MTA submission. Always uses STARTTLS in modern deployments.