Transport Layer Security (TLS) for SMTP encrypts email communications between mail servers and clients, protecting sensitive information from interception. STARTTLS is a command that upgrades a plain text connection to an encrypted one.

• STARTTLS: Starts as plaintext, upgrades to TLS (25, 587)
• Direct TLS (SMTPS): TLS from the start of connection (465)

• Common Name: Domain name the certificate is issued for
• Alternative Names: Additional domains covered by this certificate
• Issuer: Certificate Authority that issued the certificate
• Valid Period: Date range when the certificate is valid
• Fingerprint: Unique identifier for this certificate
• Serial Number: Unique serial number assigned by the CA

• Always Use TLS: Unencrypted email can be intercepted and read by attackers
• Certificate Validation: Verify certificates are issued by trusted authorities
• Check Expiry Dates: Expired certificates will cause connection failures
• Use Modern Ports: Port 587 with STARTTLS is the recommended standard

• No STARTTLS Support: Server may not support encryption or firewall blocking
• Certificate Mismatch: Certificate domain doesn't match server hostname
• Expired Certificate: Certificate needs to be renewed
• Connection Timeout: Port may be blocked by firewall or wrong port number

• Port 587 with STARTTLS is the modern standard for email submission
• Port 465 uses direct TLS (no STARTTLS command needed)
• Port 25 is primarily for server-to-server communication
• Some ISPs block port 25 to prevent spam
• Certificate should match your mail server hostname
• Enable DANE/DNSSEC for additional security