Getting STARTTLS Everywhere

Technical

Yesterday the Electronic Frontier Foundation released a new website for their STARTTLS Everywhere project. The STARTTLS Everywhere project has actually been going on for a number of years, but yesterday's reboot got a new website, new logos and a renewed marketing push, so it's been getting a lot of press.

The aim of the campaign ("make email delivery more secure") is one we've been excited about for a long time. We turned on STARTTLS for incoming email 9 years ago and outgoing email 8 years ago. Enabling STARTTLS support is fairly easy for most SMTP servers these days and anyone running an email server should do this.

To check if your email provider supports STARTTLS, the EFF built a tool that lets you test the mail servers for a particular domain and they put a "How secure is your email server?" box on the STARTTLS Everywhere site. Many of our customers are very interested in security, and we got a lot of hits to check FastMail hosted domains.

Normally, you would have seen exactly what you expect — our great support for STARTTLS (including only supporting modern TLS versions and having a TLS chained to a valid CA root). But there was just one problem! This wasn't a system that had sent mail to us, and it had no reputation with us. We take security and abuse very seriously, and a system with many rapid SMTP connections but no actual sending of mail triggered our spam detection systems. After repeated testing attempts, our security systems blocked the test tool as a likely spam bot.

For all of you who checked your domain yesterday without success, please try again — we've marked the STARTTLS Everywhere test tool as a valid source.

We welcome the efforts of the EFF in making email security more accessible. There are other efforts underway (such as DANE and MTA-STS) for ensuring that email is transferred securely between systems. In addition to our work on open-source email tools like Cyrus, we also work hard behind the scenes at industry and standards groups like the IETF and M3AAWG to build the next generation of standards. Seeing the industry settle on protocols is always the first step in making tools to make security the easy choice. We appreciate the work the EFF is doing with this campaign to drive support for standards on email, privacy and security.