SNI support in SMTP

While working on I experimented with routing emails based on SNI.

Let’s imagine a common email setup:

When someone sends an email to [email protected], it needs to resolve the MX record and then the A record to find the corresponding email server.

Traditionally, would run on its dedicated email server and listen on the port 25. To run a secure email server we have a TLS certificate stored on the server issued specificaly for

The certificate is presented to anyone connecting to the IP and asking for a secure connection. Which implies that it’s not related to the hostname we used to resolve the IP (A record), more importantly, most most clients will abort if the TLS certificate doesn’t match the hostname it attempted to connect to.

To address this issue we could use SNI since it appears earlier in the communication with the server and allows to select a TLS certificate to present to the client, which would use the right hostname. However, not all email clients support sending the SNI.

Email providers support

Name Support SNI?
Gmail yes
Yahoo no
AOL no
ProtonMail no
Outlook yes
Mailgun yes
Golang’s net/smtp yes

This list far from exhaustive, feel free to reach out if you want to try a specific email provider.

Reach out

Say hello: [email protected].

Ping me on Twitter: @svensauleau.