SSL-Tools

SSL check results of protonmail.ch

NEW You can also bulk check multiple servers.

Discover if the mail servers for protonmail.ch can be reached through a secure connection.

To establish a secure connection a mail server has to offer STARTTLS (SSL), a trustworthy SSL certificate, support for the Diffie-Hellman-Algorithm to guarantee Perfect Forward Secrecy and must not be vulnerable against the Heartbleed attack. Futhermore we recommend using end-to-end encryption with GnuPG.

Summary

JSON Refresh

Report created Thu, 28 May 2026 02:28:51 +0000

The mailservers of protonmail.ch can be reached through a secure connection.

Servers

Incoming Mails

These servers are responsible for incoming mails to @protonmail.ch addresses.

Hostname / IP address Priority STARTTLS Certificates Protocol
mail.protonmail.ch
185.205.70.128
 5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
25 s
mail.protonmail.ch
176.119.200.128
 5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
19 s
mail.protonmail.ch
185.70.42.128
 5
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
19 s
mailsec.protonmail.ch
185.70.42.129
 10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
2 s
mailsec.protonmail.ch
176.119.200.129
 10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
2 s
mailsec.protonmail.ch
185.205.70.129
 10
supported
protonmail.com
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • SSLv3
2 s

Outgoing Mails

We have received emails from these servers with @protonmail.ch sender addresses. Test mail delivery

Host TLS Version & Cipher
mail-40138.protonmail.ch (185.70.40.138)
TLSv1.3 TLS_AES_256_GCM_SHA384
mail-40132.protonmail.ch (185.70.40.132)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
mail-40131.protonmail.ch (185.70.40.131)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
mail-40130.protonmail.ch (185.70.40.130)
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

Certificates

First seen at:

CN=protonmail.com

Certificate chain
  • protonmail.com
    • remaining
    • 4096 bit
    • sha256WithRSAEncryption
      • R12
        • remaining
        • 2048 bit
        • sha256WithRSAEncryption
          • ISRG Root X1 (Certificate is self-signed.)
            • remaining
            • 4096 bit
            • sha256WithRSAEncryption
Subject
Common Name (CN)
  • protonmail.com
Alternative Names
  • *.pm.me
  • *.protonmail.ch
  • *.protonmail.com
  • *.protonvpn.ch
  • *.protonvpn.com
  • protonmail.com
Issuer
Country (C)
  • US
Organization (O)
  • Let's Encrypt
Common Name (CN)
  • R12
validity period
Not valid before
2026-05-18
Not valid after
2026-08-16
This certifcate has been verified for the following usages:
  • Digital Signature
  • Key Encipherment
  • TLS Web Server Authentication
Fingerprints
SHA256
02:72:D7:7C:BC:8A:CC:33:B5:0D:94:E6:C7:A7:FB:57:B7:BD:D2:6F:74:67:2E:FB:3D:16:92:EB:84:47:50:0A
SHA1
A4:F3:3D:BA:D6:84:75:BB:F3:18:90:58:4F:BF:BD:07:88:76:70:3E
X509v3 extensions
subjectKeyIdentifier
  • F1:A2:0A:FF:29:EF:F8:78:84:E8:07:0C:E0:56:8A:76:64:D2:2B:A5
authorityKeyIdentifier
  • keyid:00:B5:29:F2:2D:8E:6F:31:E8:9B:4C:AD:78:3E:FA:DC:E9:0C:D1:D2
authorityInfoAccess
  • CA Issuers - URI:http://r12.i.lencr.org/
certificatePolicies
  • Policy: 2.23.140.1.2.1
crlDistributionPoints
  • Full Name:
  • URI:http://r12.c.lencr.org/39.crl
ct_precert_scts
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : CB:38:F7:15:89:7C:84:A1:44:5F:5B:C1:DD:FB:C9:6E:
  • F2:9A:59:CD:47:0A:69:05:85:B0:CB:14:C3:14:58:E7
  • Timestamp : May 18 14:13:01.717 2026 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:45:02:20:62:E4:72:95:72:14:6A:F1:B1:D3:E2:91:
  • AB:F4:FA:19:CC:85:A3:35:22:E0:9F:0E:77:1C:10:E2:
  • 42:5A:A8:5C:02:21:00:96:D0:70:61:31:EB:7D:A7:FA:
  • EC:64:7F:4E:57:04:DA:0C:5B:A2:7C:77:ED:03:E8:9E:
  • D8:B1:B5:3A:32:83:31
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : 6C:FE:50:19:43:A8:5E:A9:16:BC:52:D1:33:E4:DC:C9:
  • 1E:F1:41:1C:7D:25:84:20:D1:73:80:9E:18:18:EB:3A
  • Timestamp : May 18 14:13:02.150 2026 GMT
  • Extensions: 00:00:05:00:0C:1E:D1:10
  • Signature : ecdsa-with-SHA256
  • 30:46:02:21:00:BC:4D:15:DF:47:93:3C:9E:42:A9:B6:
  • 8E:59:E4:0B:CD:7B:E6:FB:4A:E4:26:04:63:7A:B5:9C:
  • 75:AE:54:E0:5F:02:21:00:C7:9F:0D:6A:14:C4:03:18:
  • 49:6F:C9:EB:BA:78:CC:50:5F:6A:07:7F:A2:61:39:C4:
  • C8:77:70:C2:3E:EB:00:01

DANE

DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates to be bound to DNS using TLSA records and DNSSEC.

Name Options DNSSEC Matches
_25._tcp.mail.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
_25._tcp.mail.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
valid
_25._tcp.mailsec.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
_25._tcp.mailsec.protonmail.ch
  • DANE-EE: Domain Issued Certificate
  • Use subject public key
  • SHA-256 Hash
valid
valid