Connect to a mail server and check STARTTLS
DNS & Records
DNS Lookup Every DNS record for any domain A Record Lookup IPv4 addresses for a domain AAAA Record Lookup IPv6 addresses for a domain MX Lookup Mail servers for a domain NS Lookup Authoritative name servers TXT Lookup TXT records, SPF, verification CNAME Lookup Canonical name (alias) records SOA Lookup Start of Authority record SRV Lookup Service location records CAA Lookup Which CAs may issue certificates Reverse DNS (PTR) IP address to hostname DNSSEC Check Is the domain signed and validated? DNS Health Check A full delegation & DNS report cardEmail Deliverability
SPF Check Validate your Sender Policy Framework record DMARC Check Inspect and grade your DMARC policy DKIM Check Find and validate your DKIM public key Blacklist Check Check an IP against email blocklists (DNSBLs) SMTP Test Connect to a mail server and check STARTTLS MTA-STS Check Enforced TLS policy for inbound mail BIMI Check Brand logo record for email TLS-RPT Check SMTP TLS reporting policyNetwork & Web
SSL Certificate Check Inspect a site's TLS certificate and expiry HTTP Header Check Inspect response headers, redirects and security Ping (TCP) Reachability and latency over TCP Port Check Which common ports are openDomain
WHOIS Lookup Registration data for domains, IPs and ASNsThis SMTP test resolves a domain's primary MX, opens a connection on port 25, reads the greeting banner and the EHLO capability list, and reports whether the server offers STARTTLS for encrypted delivery. It is a quick way to confirm a mail server is reachable and TLS-capable.
When you submit a domain, IPeek looks up its MX records, picks the highest-priority host, and opens a TCP connection on port 25. The server answers with a 220 greeting banner that names the software, usually Postfix, Exim, or Microsoft. IPeek then sends EHLO and parses the multi-line 250 response listing supported extensions. Look for STARTTLS in that list: it signals the server can upgrade the plaintext session to an encrypted TLS channel before any mail data is exchanged. SIZE, PIPELINING, and 8BITMIME commonly appear alongside it.
Start with the banner. A 220 response means the server accepted the connection and is ready. If STARTTLS appears in the EHLO capability list, the server can encrypt inbound delivery; its absence means mail may be relayed in cleartext. A timeout or refused connection usually points to a firewall, a wrong MX target, or a host that is down. Note that port 25 is for server-to-server delivery, not client submission, which uses 587 or 465. The banner hostname should match your PTR record to satisfy receivers that check it.
Connection refused or timed out is the most frequent failure, typically a firewall blocking port 25 or an MX record pointing at the wrong host. A missing STARTTLS line means the receiving server cannot negotiate TLS, so add a certificate and enable it in your MTA. A self-signed or expired certificate still advertises STARTTLS but breaks strict TLS policies like MTA-STS and DANE. If the banner reports a generic hostname that differs from your reverse DNS, fix the PTR record, because many receivers reject mail when the banner and PTR disagree.
Server-to-server mail delivery uses port 25, which is what this test connects to. Ports 587 and 465 are reserved for mail submission from clients and applications, with 587 using STARTTLS and 465 using implicit TLS. IPeek checks port 25 because that is where receiving MX servers accept inbound mail from the internet.
STARTTLS upgrades a plaintext SMTP session to an encrypted TLS connection. The server advertises STARTTLS in its EHLO response, and the sending server issues the command to negotiate TLS before transmitting any message data. Without it, mail crosses the network in cleartext and can be read or altered in transit. STARTTLS is opportunistic unless enforced by MTA-STS or DANE.
A timeout almost always means a firewall is blocking port 25 or the MX record points to a host that is down or unreachable. Many residential and cloud networks block outbound port 25 by default. Confirm the MX target resolves correctly, check that the mail server is listening, and verify no security group or firewall rule is dropping the connection.
It means inbound mail to that server can be delivered without encryption, exposing it to interception on the wire. Most modern receivers still accept the mail, but they cannot encrypt the session. To fix it, install a valid TLS certificate and enable STARTTLS in your MTA configuration, then re-run the test to confirm the capability now appears.
The greeting banner is the first line a mail server sends after you connect, beginning with response code 220. It identifies the server software and hostname and confirms the server is ready to accept commands. Receivers often compare the banner hostname against the connecting IP's PTR record, so a mismatch can trigger spam filtering or outright rejection.