To be clear: This list does not want to make any statement about the quality of the email providers or their services. It takes more than just encryption, to provide a secure and reliable email service.

This is a manually created list which might be outdated in some places. In addition, test results may be wrong for various reasons. Please take into account the fact that email providers have to be very cautious when modifying there servers, e.g. to not lock out old clients and to avoid problems when receiving or sending emails.

So, please don't take this list too seriously, and/or try to ...

... understand the test results and the implications they might have:

[1] MECSA Technical Details

[3] Understanding the CryptCheck results (IMAPS,POP3S,SMTPS,SMTP and HTTPS)

[5] STARTTLS Everywhere - prevent/detect downgrade attacks and interception by hosting a preload list.

[6] MTA-STS - RFC 8461 (prevent/detect downgrade attacks and interception by publishing MTA-STS policy via HTTPS) has just been relased (September 2018).

It is currently rarely used, partly because it is quite new (first draft 2016) and partly because it has some very unusual aspects, to say the least.

Even those who submitted the draft (e.g yahoo, google and microsoft) are not using it.

Please be aware that a published record does not automatically mean that it will actually be used.



It is currently rarely used, partly because it is quite new (first draft 2016) and partly because it has some very unusual aspects, to say the least. Even those who submitted the draft (e.g yahoo, google and microsoft) are not using it. Please be aware that a published record does not automatically mean that it will actually be used. [8] Sender Policy Framework (SPF) - RFC7208 (publish the Sender Policy via DNS Record to help receiving hosts to check authorization)":

"No" - no SPF record

"Neutral" - must be treated exactly like "none", but some spam filters use it

"Softfail" - treated as somewhere between "Reject" and "Neutral"

"Reject" reject message during the SMTP transaction (don't!), or use it for spam rating.

"No" - no SPF record "Neutral" - must be treated exactly like "none", but some spam filters use it "Softfail" - treated as somewhere between "Reject" and "Neutral" "Reject" reject message during the SMTP transaction (don't!), or use it for spam rating. [10] Multi-factor authentication (MFA):

"granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism".

Some claim to have the only correct/secure implementation, but offer insecure reset functions. I don't want to score such things.

So, the list only indicates whether there is any kind of MFA or not, regardless of the way it is implemented.

"granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism". Some claim to have the only correct/secure implementation, but offer insecure reset functions. I don't want to score such things. So, the list only indicates whether there is kind of MFA or not, regardless of the way it is implemented. more to come

Please feel free to send links, corrections or extra infos to: a2e7ff3a@dismail.de (email/xmpp)

Last update: 2020-01-02

Changes: