← Back to Blog
tutorial

How to Test Email SSL/TLS Security: SMTP, IMAP & POP3 (2026)

Most people check SSL on their web server and call it done. But if you run your own mail server — or manage email for a company — the SMTP, IMAP, and POP3 connections are equally exposed. Email transmitted without encryption can be intercepted in transit, and an expired or misconfigured certificate on a mail server will cause email clients to throw errors or silently fall back to unencrypted connections.

✉️

Mail SSL Checker

Test SMTP, IMAP, and POP3 SSL/TLS certificates for your mail server.

Try It Free →

Testing Email SSL/TLS on Windows

Windows PowerShell / OpenSSL

Method 1: OpenSSL on Windows (Identical to Linux)

After installing OpenSSL (winget install ShiningLight.OpenSSL), the same openssl s_client commands work on Windows:

:: Test SMTP with STARTTLS openssl s_client -connect mail.yourdomain.com:587 -starttls smtp :: Test SMTP with direct TLS (port 465) openssl s_client -connect mail.yourdomain.com:465 :: Test IMAP with STARTTLS openssl s_client -connect mail.yourdomain.com:143 -starttls imap :: Test IMAP with direct TLS (port 993) openssl s_client -connect mail.yourdomain.com:993 :: Test POP3 with direct TLS (port 995) openssl s_client -connect mail.yourdomain.com:995

Method 2: PowerShell SMTP TLS Test

# Test SMTP connection and TLS handshake via PowerShell $smtp = "mail.yourdomain.com" $port = 587 $tcp = New-Object System.Net.Sockets.TcpClient($smtp, $port) $stream = $tcp.GetStream() $reader = New-Object System.IO.StreamReader($stream) $writer = New-Object System.IO.StreamWriter($stream) $writer.AutoFlush = $true # Read greeting $greeting = $reader.ReadLine() Write-Host "Server: $greeting" # Send EHLO $writer.WriteLine("EHLO testclient") Start-Sleep -Milliseconds 500 while ($stream.DataAvailable) { Write-Host $reader.ReadLine() } # Send STARTTLS $writer.WriteLine("STARTTLS") $response = $reader.ReadLine() Write-Host "STARTTLS response: $response" # Upgrade to TLS if ($response -match "^220") { $ssl = New-Object System.Net.Security.SslStream($stream) $ssl.AuthenticateAsClient($smtp) Write-Host "TLS handshake succeeded" Write-Host "Protocol: $($ssl.SslProtocol)" Write-Host "Cipher: $($ssl.CipherAlgorithm)" } $tcp.Close()

Method 3: Telnet on Windows (Basic Connectivity)

:: Enable Telnet (Windows feature, disabled by default): :: Control Panel → Programs → Turn Windows Features On or Off → check Telnet Client :: OR via PowerShell: Enable-WindowsOptionalFeature -Online -FeatureName TelnetClient :: Test basic connectivity (no TLS): telnet mail.yourdomain.com 25 telnet mail.yourdomain.com 587 :: After connecting, you should see the SMTP greeting. Type EHLO test to see capabilities.
Telnet won't test TLS directly — it can only verify TCP connectivity. Use OpenSSL on Windows for actual TLS testing. The PowerShell method above is the cleanest Windows-native approach for STARTTLS testing.

Testing Email SSL/TLS on macOS

macOS Terminal

macOS includes LibreSSL in Terminal — the commands are identical to Linux. For STARTTLS support, install full OpenSSL via Homebrew:

# Install OpenSSL for STARTTLS support (macOS LibreSSL may lack -starttls flag) brew install openssl OPENSSL=/opt/homebrew/opt/openssl/bin/openssl # Test SMTP with STARTTLS $OPENSSL s_client -connect mail.yourdomain.com:587 -starttls smtp # Test IMAP TLS $OPENSSL s_client -connect mail.yourdomain.com:993 # Verify the certificate presented matches your mail domain $OPENSSL s_client -connect mail.yourdomain.com:465 2>/dev/null | \ openssl x509 -noout -subject -dates # Check which TLS version is negotiated $OPENSSL s_client -connect mail.yourdomain.com:465 2>/dev/null | grep "Protocol"

macOS Mail.app uses the system TLS stack automatically. If you're debugging why Mail.app shows a certificate warning, check the certificate details by clicking the lock icon in the email connection error dialog, or check Console.app for Secure Transport errors.