STARTTLS and Transactional E-mail Providers
I have been looking at STARTTLS on a personal level for a while now, but recently I wanted to verify how transactional e-mail service providers (Sendgrid, Postmark, etc) stack up with their implementations for securely sending and delivering e-mail. This information may have previously been compiled, but I didn’t find it.
To accomplish verification I created a script to help audit the settings and ports and my findings so far are compiled in a table below. The script can be located here if you are interested in testing a provider not currently covered. Any feedback on this implementation in Python would be appreciated as well. I know a certificate/key can be added, but for the purpose of this quick test I did not implement them.
For testing I am manually verifying the headers of the e-mails themselves and looking at the debug output to determine the success so this isn’t completely automated.
No port 465 (SMTP SSL) connections available on any of the providers I have tested so far. They all want you to hit 25, 587 or 2525 with STARTTLS.
There are providers who support STARTTLS to connect but do not utilize it to deliver (Dyn).
Verify that you are connecting to the mail servers with STARTTLS (see my script for a Python example) and verify that your provider is then delivering mail with STARTTLS.
Politely contact your provider if they do not currently offer secure delivery and based on starttls.info scores there might be room for configuration improvements.
I would still like to verify Mailgun, Mandrill and any other providers that are out there. Let me know if you audit them and I will update the table!
Created with Compare Ninja