Email Security Tests

What we check and how it works.



Our service lets you test your outbound server's configuration for IPv6 support (email delivery and DNS resolution), as well es various email security features (MTA-STS, DANE, DNSSEC (in DNS resolution), TLS, etc.) To do that, we setup several email address to which you either can or cannot send emails, depending on how your outbound mail server is configured, and which (security) features it supports.

To start a test, you can ask us to send you an email. That email does not start any measurements, and (if somebody else entered your email address) contains a permanent opt-out link.

Only when you hit 'Reply All' for that email, and send emails to us, the measurements take place (by us either receiving or not receiving emails from you). All our target email addresses are configured 'normaly' in so far, that you regularly encounter email addresses configured just like that when communicating with others on the Internet. Hence, the worst thing that can happen is that your mailserver is unable to deliver emails you send to us, and lets you know via a bounce notification.

Below, you can find a list of all measurement addresses (all under measurement.email-security-scans.org) we are using, along with an explanation of how we configured that address/subdomain, and what we measure by (not) receiving emails there.

If you still encounter issues, or even observed a case where sending emails to us breaks something, please contact us under abuse@email-security-scans.org.

Measurement Address Description
measurement@mail-plaintext. This address is reachable via IPv4 and IPv6, but only allows plaintext connections. If you cannot send an email here, your mailserver does not support plaintext emails.
measurement@v4-mail. This address is only reachable via IPv4, and accepts plaintext connections and as many ciphers and TLS versions as possible. If you cannot send an email here, your mailserver does not support sending emails via IPv4.
measurement@v6-mail. This address is only reachable via IPv6, and accepts plaintext connections and as many ciphers and TLS versions as possible. If you cannot send an email here, your mailserver does not support sending emails via IPv6.
measurement@v4-mail.v6only. Like measurement@v4-mail., but the domain can only be resolved via IPv6. If you cannot send an email here, but to measurement@v4-mail., your mailserver's DNS resolver does not support IPv6 DNS resolution.
measurement@v6-mail.v6only. Like measurement@v6-mail., but the domain can only be resolved via IPv6. If you cannot send an email here, but to measurement@v6-mail., your mailserver's DNS resolver does not support IPv6 DNS resolution.
measurement@v4-mail.dnssec-broken. Like measurement@v4-mail., but DNSSEC is broken. If you can send an email to measurement@v4-mail. and this address, your mailserver's DNS resolver does not support DNSSEC.
measurement@v6-mail.dnssec-broken. Like measurement@v6-mail., but DNSSEC is broken. If you can send an email to measurement@v6-mail. and this address, your mailserver's DNS resolver does not support DNSSEC.
measurement@v4-mail-greylisting. Like measurement@v4-mail., but our server implements greylisting. If you can send an email to measurement@v4-mail. and this address, your mail server queues temporarily undeliverable mails and reattempts delivery (as it should).
measurement@v6-mail-greylisting. Like measurement@v6-mail., but our server implements greylisting. If you can send an email to measurement@v6-mail. and this address, your mail server queues temporarily undeliverable mails and reattempts delivery (as it should).
measurement@mail-tls-force. This address is reachable via IPv4 and IPv6, but enforces TLS use with as many ciphers and TLS versions as possible, presenting a valid certificate. If you cannot send an email here, your mailserver does not support (newer than SSLv3) TLS for outbound connections.
measurement@mail-tls-invalid. Like measurement@mail-tls-force., but the certificate is invalid (non-matching and expired). If you can send an email to measurement@mail-tls-force., but not here, your mailserver validates
measurement@mail-tlsa-invalid. Like measurement@mail-tls-invalid., but with an invalid TLSA record. If you could send to measurement@mail-tls-invalid. but not here, your mailserver validates DANE.
measurement@mail-tlsv13. Like measurement@mail-tls-force.measurement, but enforcing TLSv1.3; If you can deliver an email here, your mailserver supports TLSv1.3.
measurement@mail-notlsv13. Like measurement@mail-tls-force.measurement, but not supporting TLSv1.3; If you cannot deliver an email here, you mailserver enforces at least TLSv1.3.
measurement@mail-strong-force-tls. Like measurement@mail-tls-force., but only supporting high cipher settings according to https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-dane-in-postfix; implies no TLSv1.0 and no TLSv1.1. If no mail is received, your mailserver does not support strong ciphers.
measurement@mail-medium-force-tls. Like measurement@mail-tls-force., but only supporting medium cipher settings according to https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-dane-in-postfix; implies no TLSv1.0 and no TLSv1.1. If no mail is received, your mailserver does not support medium strength ciphers.
measurement@random_id.dns. A unique random ID for your email test, which helps us to tie your DNS resolver to your emails.
measurement@random_id.uniq. A unique random ID for your email test, which helps us to tie DMARC bounces and TLS-RPT messages to your emails.
measurement@mail-mtasts-n-iv. If an email is received, the remote does not validate MTA-STS if the policy is delimited with \n; If a mail is not received for plain but here, the remote uses MTA-STS only to force opportunistic encryption.
measurement@mail-mtasts-rn-iv. If an email is received, the remote does not validate MTA-STS if the policy is delimited with \r\n; If a mail is not received for plain but here, the remote uses MTA-STS only to force opportunistic encryption.
measurement@mail-mtasts-rn-plain. If an email is received, the remote does not validate MTA-STS if the policy is delimited with \r\n; If a mail is received here, most likely no MTA-STS takes place.
measurement@mail-mtasts-rn-mult-ivv. If an email is received, check if it came via tls-force or tls-invalid; If it came via tls-invalid, MTA-STS processing is broken (see options above).
measurement@mail-mtasts-rn-mult-ivp. If an email is received, check if it came via tls-invalid or plaintext; If it came via plaintext, MTA-STS processing is broken (see options above); If it came via tls-invalid, see the options abvoe for mtasts-n/rn-iv re: opportunistic encryption.
measurement@mail-tlsaivv. TLSA invalid / Valid Certificate / No MTA-STS; If TLSA is supported in other tests, the remote preferrs PKIX over TLSA
measurement@mail-tlsaviv. TLSA valid / Invalid Certificate / No MTA-STS; This case should be delivered by remotes that support TLSA, even if they perform strong TLS enforcing (see plaintext result)
measurement@mail-mtastsv-tlsaivv-rn. TLSA Invalid / Valid Certificate / Valid MTA-STS n; Should not be delivered if TLSA is correctly preferred over MTA-STS and both are supported (see other tests); \r\n delimiting
measurement@mail-mtastsiv-tlsaviv-rn. TLSA Valid / Invalid Certificate / Invalid MTA-STS; Should be delivered if TLSA is correctly preferred over MTA-STS and both are supported (see other tests); \r\n delimiting
measurement@mail-mtastsiv-tlsavv-rn. TLSA Valid / Valid Certificate / Invalid MTA-STS; Should be delivered if TLSA is correctly preferred over MTA-STS and both are supported (see other tests); \r\n delimiting
measurement@mail-tlsa-invalid.nodnssec. TLSA Invalid / Invalid Certificate; If TLSA is supported as well as opportunistic encryption, this should be delivered as the TLSA record should not work on a non-DNSSEC signed domain; If it is, DNSSEC is ignored for TLSA.
measurement@mail-tlsa-valid.nodnssec. TLSA Invalid / Valid Certificate; If TLSA is supported as well as encryption, this should be delivered as the TLSA record should not work on a non-DNSSEC signed domain; If it is, DNSSEC is ignored for TLSA. Uses a PKIX valid cert to catch cases where remotes enforce valid certs.