Paste your SMTP host and port to verify connection, TLS/STARTTLS, authentication, and sendability. PostProbe surfaces common misconfigurations—SPF, DKIM, DMARC alignment hints, PTR, rDNS, and blacklist checks—for reliable email delivery.

Email delivery breaks in subtle ways: a port closed on a firewall, STARTTLS not offered, hostname mismatches, or an auth method your client doesn’t support. The result is the same—messages that stall, bounce, or get quarantined. PostProbe turns guesswork into a quick, guided check: enter your SMTP server details and get a clear pass/fail snapshot across connectivity, encryption, authentication, and deliverability signals, with practical fixes you can apply right now.

This article is fully original and SEO-friendly. It explains what PostProbe checks, why each check matters, and how to use the results to move from “it times out” to “it’s fixed.”

What PostProbe actually tests (and why it matters)

1) Network reachability

• Host & port: Confirms the server is accessible on common ports (25, 465, 587).
• Latency & banner: Measures initial handshake time and captures the server banner (e.g., 220 mail.example.com ESMTP).
• Firewall/NAT clues: Distinguishes between connection refused, timeout, and blocked by policy, which point to different owners (network vs. server).

2) TLS/STARTTLS health

• STARTTLS offer (ports 25, 587): Verifies the server advertises STARTTLS after EHLO and that the upgrade succeeds.
• Implicit TLS (port 465): Checks certificate validity at connect time.
• Certificate details: Hostname/SAN match, expiry, chain completeness, modern signature (e.g., SHA-256), and key type/size.
• Protocol/cipher sanity: Confirms TLS 1.2/1.3 availability and flags legacy protocols.

3) SMTP capabilities (EHLO)

• Parses EHLO extensions such as AUTH, SIZE, 8BITMIME, PIPELINING, DSN, SMTPUTF8, CHUNKING.
• Highlights capability gaps that cause client errors (e.g., no AUTH on port 587, or SIZE limit too small).

4) Authentication readiness

• AUTH mechanisms: Lists supported methods (PLAIN, LOGIN, CRAM-MD5, OAUTHBEARER, XOAUTH2) and whether they are gated behind TLS.
• Policy sanity: Warns if insecure auth is permitted without TLS (bad practice).
• Submission vs. relay: Distinguishes port 587 (submission) policies from 25 (relay) behavior.

5) Sender identity & deliverability signals (informational)

• PTR (reverse DNS): Checks that your server’s IP resolves to a sensible hostname (e.g., mail.example.com) and matches forward DNS.
• SPF presence: Looks up the domain’s SPF record and notes obvious pitfalls (e.g., multiple +all or missing include).
• DKIM selector sanity: Confirms DKIM TXT record exists for a provided selector and that it isn’t malformed.
• DMARC policy: Reports whether p= is none, quarantine, or reject, with alignment reminders.
• Blacklist glance: Lightweight check against prominent real-time lists to catch reputation blockers before you test sends.
  (PostProbe doesn’t modify DNS or send bulk mail; these are read-only checks to guide you.)

Who benefits (and how)

• Developers & SREs: Triage “can’t send email” incidents in minutes; confirm post-change health after rotating certs or moving providers.
• IT & MSPs: Validate submission ports for Outlook/Apple Mail/Mobile; produce a shareable report for customers.
• Marketers & CRM teams: Confirm infrastructure health before launching campaigns; reduce soft bounces and spam-folder surprises.
• Support engineers: Translate vague user errors into concrete steps (“STARTTLS missing on 587—enable it and restart.”).

How to run a clean test (60-second workflow)

1. Enter SMTP host and port. Use mail.example.com with 587 for submission, 465 for implicit TLS, or 25 for server-to-server relay checks.
2. Choose test depth. Quick (connect + EHLO) or Full (TLS, AUTH, identity, blacklists).
3. Optionally add credentials (stored ephemerally) to verify AUTH and a test send to a neutral mailbox.
4. Run PostProbe. Review results grouped by Connectivity, TLS, Capabilities, Auth, and Deliverability signals.
5. Apply fixes (see below), then re-run to confirm.

Understanding ports (and picking the right one)

• 587 — Submission (STARTTLS)
  For clients/users sending mail via your server. Should require AUTH and offer STARTTLS.
• 465 — SMTPS (implicit TLS)
  TLS from the first byte. Popular with many clients; ensure a valid certificate and modern ciphers.
• 25 — Relay (server-to-server)
  Used for inter-server delivery. Typically no AUTH, may offer STARTTLS. Firewalls/ISPs may block outbound 25 for consumers.

Best practice: Offer 587 (STARTTLS + AUTH) for end users, 465 if your client base expects it, and keep 25 for MX/relay with sane policies.

Common findings—and what to fix

“Connection timed out on port 587”

• Cause: Firewall or ISP block.
• Fix: Open port 587 on your edge firewall and security groups; confirm NAT rules; verify the service is listening.

“No STARTTLS advertised on 587”

• Cause: Misconfigured submission service or TLS disabled.
• Fix: Enable STARTTLS in your MTA (Postfix smtpd_tls_security_level = may or better; Exim tls_advertise_hosts = *), and install a valid cert.

“Certificate mismatch or expired”

• Cause: Wrong CN/SAN or lapsed certificate.
• Fix: Reissue with the exact hostnames clients use; install full chain; set up auto-renewal (ACME).

“AUTH not available” (on 587)

• Cause: Auth disabled or only enabled post-STARTTLS.
• Fix: Enable SASL and advertise AUTH after EHLO (ideally only after TLS). Provide PLAIN/LOGIN at minimum; consider OAUTH for modern clients.

“Weak TLS or old ciphers”

• Cause: Legacy defaults.
• Fix: Enable TLS 1.2/1.3; prefer ECDHE with AES-GCM/ChaCha20; disable SSLv3/TLS 1.0/1.1 and RC4/3DES.

“Reverse DNS missing / generic PTR”

• Cause: ISP default PTR (123-45-6-7.isp.example).
• Fix: Ask your IP owner to set PTR to mail.example.com and ensure forward DNS points back to the same IP.

“SPF softfail/none”

• Cause: Your sending host/IP not authorized.
• Fix: Add/adjust SPF to include your sending service or IP ranges. Keep it under 10 DNS lookups; avoid +all.

“DKIM selector not found”

• Cause: Record missing or wrong selector.
• Fix: Publish the public key at selector._domainkey.example.com and enable signing on the MTA or ESP.

“DMARC not configured”

• Cause: No domain policy.
• Fix: Start with p=none for reporting; move to quarantine/reject as alignment improves.

Best practices that keep mail flowing

• Submission hygiene: Require AUTH on 587/465 and enforce STARTTLS or implicit TLS; disallow plain auth over cleartext.
• Certificates: Use a cert that matches the exact hostname clients enter; include intermediates; renew automatically.
• Modern TLS: Keep TLS 1.2/1.3; remove older protocols and ciphers.
• Identity & reputation: Maintain PTR/rDNS; publish SPF, DKIM, and DMARC; monitor DMARC reports to catch drift.
• Rate limiting & abuse controls: Throttle suspicious bursts; enable auth lockouts and alerting.
• Monitoring: Schedule periodic PostProbe runs for key domains; alert on TLS expiry and capability changes.
• Documentation: Keep a one-pager with ports, TLS policies, AUTH methods, and DNS records. It saves hours during incidents.

Troubleshooting quick guide (symptom → likely cause → action)

• “Client says ‘Cannot send mail.’” → Port blocked or wrong port → Use 587 or 465; open firewall; verify service is listening.
• “Certificate warning in Outlook/Apple Mail.” → Hostname mismatch/expired cert → Reissue for the client-entered name; install full chain.
• “Auth works on Wi-Fi but not mobile network.” → ISP blocks port 25 → Use 587/465 for submission.
• “Mail sent but lands in spam.” → Missing SPF/DKIM/DMARC or poor reputation → Fix DNS auth, check content, warm up IP/domain, monitor DMARC.
• “Some recipients bounce with ‘TLS required’.” → Peer requires TLS, your server didn’t negotiate → Ensure STARTTLS on 25 and modern ciphers.
• “Large attachments fail.” → SIZE limit too low → Raise server size limits and align with client/app expectations.

Security notes (don’t skip)

• Never allow AUTH without encryption. Advertise and accept AUTH only after STARTTLS/implicit TLS.
• Disable plaintext legacy ports. Close any old submission ports that don’t enforce TLS.
• Patch your MTA. Keep Postfix/Exim/Exchange/Sendmail up to date; crypto improvements land regularly.
• Protect credentials. Prefer OAuth where available; rotate passwords and restrict app passwords.
• Abuse prevention. Enable rate limits, connection throttling, and anomaly alerts to stop compromised accounts from spamming.

FAQs

What’s the difference between ports 465 and 587?
465 is implicit TLS (encrypted from byte one). 587 is submission with STARTTLS upgrade. Both are for client-to-server sending; offer at least one.

Do I need TLS on port 25?
Offer STARTTLS on 25; many receiving servers prefer or require it for relay. It’s not always mandatory, but it’s best practice.

Can PostProbe send a test message?
Yes—optionally with your credentials—to verify AUTH and basic delivery. It won’t send bulk mail or store content.

Will PostProbe fix my SPF/DKIM/DMARC?
It won’t edit DNS, but it will explain what’s missing or misaligned so you can update records correctly.

Why does my server advertise AUTH only after STARTTLS?
That’s deliberate and good: it prevents credentials from traveling in cleartext.

We use an ESP—should we still run PostProbe?
Yes. Validate your submission host and confirm DNS (SPF/DKIM/DMARC) align with your ESP’s guidance.

Suggested hero image & alt text

Concept: A clean dashboard titled “PostProbe — SMTP Test” with a host/port field and a Run test button; result cards show Connectivity (passed) with server banner, TLS/STARTTLS (valid cert, TLS 1.3), AUTH (PLAIN/LOGIN available after TLS), and Deliverability signals listing PTR: ok, SPF: found, DKIM: selector ok, DMARC: quarantine; a slim warnings column flags anything amber/red. Neutral UI, no real domains or personal data.

Alt text: “Interface summarizing SMTP connectivity, TLS, authentication, and deliverability checks with clear pass/warn badges.”

Final takeaway

SMTP issues can hide anywhere between network, TLS, auth, and domain identity. PostProbe pulls those threads together into one fast, readable report. Verify the right port, ensure encrypted submission, advertise sane AUTH, and keep SPF/DKIM/DMARC aligned. Do that—and keep an eye on PTR and reputation—and your email moves from fragile to predictably deliverable.