Skip to main content

New

Test your email deliverability

Send a test email and get a complete diagnosis of your SPF, DKIM and DMARC authentication in seconds.

  • Real send test
  • Instant diagnosis
  • No signup required
Run the test

SMTP/MX connectivity test

Check that your mail servers are reachable and secure

A misconfigured MX server can silently drop emails: no bounce, no error, just lost messages. This tool connects to each of your MX servers on port 25, tests STARTTLS, inspects TLS certificates and checks for open relay vulnerabilities. Enter a domain to get a full SMTP diagnostic in seconds.

Enter a domain name to test SMTP connectivity of its MX servers.

Port 25 connectivity

Verify that each MX server is reachable on port 25 with measured response time.

STARTTLS inspection

Test STARTTLS support and the negotiated TLS version (TLS 1.2, 1.3) for each server.

TLS certificate

Inspect the certificate: subject, issuer, expiration date, SAN, key type and chain validity.

Open relay detection

Test whether the server accepts to relay mail for unauthorized external recipients.

Banner and EHLO extensions

Capture the SMTP banner (220) and the list of EHLO extensions to identify the MTA software.

Why test SMTP connectivity for your MX servers?

SPF, DKIM and DMARC protect your identity, but they don't guarantee that emails actually reach your servers. If port 25 is blocked, STARTTLS fails, or a certificate has expired, senders get silent failures or bounces. According to Google's Transparency Report, over 90% of inbound Gmail traffic now uses TLS: servers without STARTTLS are increasingly rejected.

Three reasons to test regularly:

  • Deliverability: an unreachable MX means lost emails. Senders get "connection timeout" bounces, and you'll never know.
  • TLS security: without STARTTLS, your emails travel in cleartext across every hop. MTA-STS and DANE policies actively reject non-TLS connections.
  • Reputation: an open relay gets exploited within hours. One spam run and your IP lands on Spamhaus, Microsoft SNDS and Google Postmaster blocklists simultaneously.

How to use the SMTP/MX Tester in 3 steps

Step 1: Enter your domain

Type the domain name to test (for example captaindns.com). The tool automatically resolves MX records via DNS.

Step 2: Wait for the diagnostic

For each detected MX server, the tool:

  1. Connects on port 25 (TCP)
  2. Captures the SMTP banner (code 220)
  3. Sends EHLO and lists extensions
  4. Tests STARTTLS and inspects the TLS certificate
  5. Runs a basic open relay test

Step 3: Review the results

Each MX server displays a clear status: reachable or not, STARTTLS supported, certificate valid, open relay detected or not. The diagnostics guide you toward corrective actions.

What is the SMTP protocol?

SMTP (Simple Mail Transfer Protocol, RFC 5321) is the standard protocol for transporting email between servers. When someone sends an email to your domain, the sending server:

  1. Resolves the MX records for your domain
  2. Connects to the MX server with the lowest priority value (preferred)
  3. Performs an SMTP handshake (banner, EHLO, STARTTLS)
  4. Delivers the message

Example SMTP session:

TCP connection to mx1.captaindns.com:25
← 220 mx1.captaindns.com ESMTP Postfix
→ EHLO sender.example.com
← 250-STARTTLS
← 250-SIZE 52428800
← 250 8BITMIME
→ STARTTLS
← 220 Ready for TLS
[TLS 1.3 handshake]
→ MAIL FROM:<user@example.com>
→ RCPT TO:<contact@captaindns.com>
→ DATA

What exactly does the tool analyze?

ElementDescriptionResult
MX resolutionDNS query for the domain's MX recordsList of servers with priority
TCP connectionConnection attempt on port 25Reachable / Unreachable + response time
SMTP bannerCapture of the initial 220 responseHostname, detected MTA software
EHLO extensionsList of capabilities advertised by the serverSTARTTLS, SIZE, PIPELINING, etc.
STARTTLSTLS upgrade testTLS version, cipher suite
TLS certificateServer certificate inspectionSubject, issuer, expiration, SAN, chain
Open relayMAIL FROM + external RCPT TO testRelaying denied (OK) or accepted (danger)

Real-world use cases

Incident 1: bouncing emails, silent revenue loss

Symptom: Senders receive "connection timeout" or "host unreachable" errors when sending to your domain. Support tickets pile up, but your monitoring shows nothing wrong.

Diagnostic: The SMTP/MX Tester shows that the secondary MX server (mx2) is unreachable: port 25 is blocked by the firewall after a recent infrastructure change.

Action: Open inbound port 25 on the mx2 server firewall, or remove the MX record if it's no longer active.

Incident 2: Expired TLS certificate

Symptom: Servers with strict MTA-STS refuse to deliver emails to your domain.

Diagnostic: The tool detects that the certificate expires in -5 days (expired). The SAN hostname doesn't match the MX.

Action: Renew the TLS certificate and verify that the SAN includes the exact MX hostname.

Incident 3: open relay detected, blocklisted overnight

Symptom: Your IP suddenly appears on Spamhaus, Barracuda and Microsoft SNDS blocklists. Outbound email delivery drops to near zero.

Diagnostic: The open relay test shows that the server accepts to relay mail to external domains without authentication. Spammers have already found it.

Action: Configure the SMTP server to reject unauthenticated relaying. Check transport rules and relay restrictions. Request delisting from blocklists once the relay is closed.

FAQ

Q: Why should I test SMTP connectivity for my MX servers?

A: Even with perfect DNS records (SPF, DKIM, DMARC), if your MX servers are unreachable or don't support TLS, emails won't be delivered properly. This test checks the actual transport layer.

Q: What is STARTTLS and why does it matter?

A: STARTTLS (RFC 3207) upgrades a plaintext SMTP connection to an encrypted TLS connection. Without STARTTLS, emails travel in cleartext across the Internet. Most modern providers require STARTTLS.

Q: What is an open relay and why is it dangerous?

A: An open relay is an SMTP server that accepts to relay mail for anyone without authentication. It's a major security flaw exploited by spammers. Your server will be quickly blocklisted.

Q: What does the SMTP banner mean?

A: The banner is the server's first response (code 220). It contains the hostname and sometimes the MTA software. A properly configured banner should not leak sensitive information.

Q: My MX server is unreachable, what should I do?

A: Check the firewall (port 25), the SMTP service, and DNS MX records. Some cloud providers block outbound port 25 by default.

Q: Which TLS version is recommended?

A: TLS 1.2 minimum, TLS 1.3 recommended. Versions 1.0 and 1.1 are deprecated and vulnerable.

Q: How to interpret EHLO extensions?

A: STARTTLS (encryption), SIZE (max size), 8BITMIME (encoding), PIPELINING (performance), SMTPUTF8 (internationalization). The more the server supports, the more modern it is.

Next step: go beyond SMTP

Your MX servers pass the SMTP test? Now make sure the full email authentication chain holds up. Check your MTA-STS policy, monitor TLS failures with TLS-RPT, and verify your domain isn't already on a blocklist.

ToolPurpose
MTA-STS record checkCheck the MTA-STS policy that enforces TLS for transport
TLS-RPT record checkConfigure TLS reports to monitor connection failures
Domain DNS checkComplete SPF, DKIM, DMARC, MTA-STS, BIMI audit
Domain blocklist checkCheck if your domain is on a blocklist
Mail TesterTest your complete email deliverability

Useful resources

Privacy commitment

No SMTP connection data is stored. Results are not recorded and no email is sent during the test. The open relay test uses a RCPT TO command without sending a message (no DATA).