SSL-Tools

SSL check results of tuta.io

NEW You can also bulk check multiple servers.

Discover if the mail servers for tuta.io can be reached through a secure connection.

To establish a secure connection a mail server has to offer STARTTLS (SSL), a trustworthy SSL certificate, support for the Diffie-Hellman-Algorithm to guarantee Perfect Forward Secrecy and must not be vulnerable against the Heartbleed attack. Futhermore we recommend using end-to-end encryption with GnuPG.

Summary

JSON Refresh

Report created Fri, 30 Jan 2026 16:18:54 +0000

The mailservers of tuta.io can be reached through a secure connection.

Servers

Incoming Mails

These servers are responsible for incoming mails to @tuta.io addresses.

Hostname / IP address Priority STARTTLS Certificates Protocol
mail.tutanota.de
185.205.69.214
 0
supported
mail.tutanota.de
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s
mail.tutanota.de
185.205.69.211
 0
supported
mail.tutanota.de
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s
mail.tutanota.de
185.205.69.213
 0
supported
mail.tutanota.de
DANE
valid
PFS
supported
Heartbleed
not vulnerable
Weak ciphers
not found
  • TLSv1.2
  • TLSv1.1
  • TLSv1.0
  • SSLv3
2 s

Outgoing Mails

We have received emails from these servers with @tuta.io sender addresses. Test mail delivery

Host TLS Version & Cipher
w1.tutanota.de (81.3.6.162)
TLSv1.3 TLS_AES_256_GCM_SHA384

Certificates

First seen at:

CN=mail.tutanota.de

Certificate chain
Subject
Common Name (CN)
  • mail.tutanota.de
Alternative Names
  • mail.tutanota.de
  • www.mail.tutanota.de
Issuer
Country (C)
  • GB
Organization (O)
  • Sectigo Limited
Common Name (CN)
  • Sectigo Public Server Authentication CA DV E36
validity period
Not valid before
2025-08-05
Not valid after
2026-09-05
This certifcate has been verified for the following usages:
  • Digital Signature
  • TLS Web Server Authentication
  • TLS Web Client Authentication
Fingerprints
SHA256
D1:41:F8:F3:A4:AA:C2:E4:D2:67:7A:AF:CC:72:3D:8E:5C:C7:B1:46:E9:68:C3:AE:A3:48:ED:93:99:6B:BE:6F
SHA1
11:06:91:C0:A1:B6:F6:CC:24:EA:BA:06:F6:6D:6C:DC:E5:2A:0E:11
X509v3 extensions
authorityKeyIdentifier
  • keyid:17:99:A8:04:C1:6F:E4:2D:70:A8:0A:10:3D:03:D3:E9:1A:B8:26:63
subjectKeyIdentifier
  • 40:16:F5:24:F7:4E:63:F9:C0:A8:A2:9C:D7:C6:81:36:4E:AB:98:39
certificatePolicies
  • Policy: 1.3.6.1.4.1.6449.1.2.2.7
  • CPS: https://sectigo.com/CPS
  • Policy: 2.23.140.1.2.1
authorityInfoAccess
  • CA Issuers - URI:http://crt.sectigo.com/SectigoPublicServerAuthenticationCADVE36.crt
  • OCSP - URI:http://ocsp.sectigo.com
ct_precert_scts
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : D8:09:55:3B:94:4F:7A:FF:C8:16:19:6F:94:4F:85:AB:
  • B0:F8:FC:5E:87:55:26:0F:15:D1:2E:72:BB:45:4B:14
  • Timestamp : Aug 5 07:44:27.237 2025 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:46:02:21:00:F9:82:8A:5C:16:91:92:FC:B8:1F:98:
  • 33:E7:22:A2:3B:C4:4E:B5:70:21:BF:56:3A:14:58:EC:
  • 0B:14:B1:7D:54:02:21:00:80:4B:00:7B:19:AA:F3:91:
  • 93:73:8D:D6:E2:CD:13:47:8C:D7:07:89:A1:4C:28:23:
  • 91:87:2F:21:9A:46:08:73
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : AC:AB:30:70:6C:EB:EC:84:31:F4:13:D2:F4:91:5F:11:
  • 1E:42:24:43:B1:F2:A6:8C:4F:3C:2B:3B:A7:1E:02:C3
  • Timestamp : Aug 5 07:44:27.192 2025 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:44:02:20:6B:71:B9:9D:60:73:6F:B9:BD:FE:53:19:
  • 43:BB:3B:4C:E4:AA:6C:DD:64:65:45:A4:25:52:F4:88:
  • 1D:2B:FC:16:02:20:5F:7D:26:AF:DF:BD:41:BE:95:88:
  • 27:9D:4E:36:E3:ED:42:11:96:20:A2:00:EC:02:24:F1:
  • C5:14:07:F4:E8:23
  • Signed Certificate Timestamp:
  • Version : v1 (0x0)
  • Log ID : D7:6D:7D:10:D1:A7:F5:77:C2:C7:E9:5F:D7:00:BF:F9:
  • 82:C9:33:5A:65:E1:D0:B3:01:73:17:C0:C8:C5:69:77
  • Timestamp : Aug 5 07:44:27.148 2025 GMT
  • Extensions: none
  • Signature : ecdsa-with-SHA256
  • 30:46:02:21:00:AA:7E:88:98:0B:B3:B2:D0:61:6D:FF:
  • 98:B9:68:2F:82:79:A5:E1:63:B0:D0:6A:1B:DE:9B:CE:
  • 06:C9:00:7E:67:02:21:00:E1:3C:0D:07:F8:EB:01:2A:
  • AC:CE:0F:6A:2E:6E:99:02:D4:D3:2A:B5:C4:2B:3A:AD:
  • 84:9A:20:E7:68:55:04:19

DANE

DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates to be bound to DNS using TLSA records and DNSSEC.

Name Options DNSSEC Matches
_25._tcp.mail.tutanota.de
  • DANE-EE: Domain Issued Certificate
  • Use full certificate
  • SHA-256 Hash
valid
_25._tcp.mail.tutanota.de
  • DANE-EE: Domain Issued Certificate
  • Use full certificate
  • SHA-256 Hash
valid
valid