SMTP Capability Probe

SMTP Capability Probe Grading Rubric

This guide explains how NetQuery assigns points and letter grades when analyzing an SMTP server. Scores use role-aware profiles: submission (`587`/`465`) vs relay (`25`).

Security (max 42 pts)

• Offers encrypted transport (STARTTLS or implicit TLS): +10
• Negotiates TLS 1.3: +12 (TLS 1.2: +10)
• Uses Perfect Forward Secrecy: +4
• Certificate matches host: +5
• Certificate expires in ≥30 days: +4
• No legacy cipher evidence: +5 (or +3 by negotiated cipher)
• DNSSEC signal: passed +2, indeterminate -1, failed -4

Authentication (submission max 20, relay max 8)

• Offers LOGIN or PLAIN: +5
• Offers XOAUTH2 or OAUTHBEARER: +7
• Offers SCRAM-SHA-256: +4
• Two or more modern mechanisms available: +2
• Submission profile only: AUTH before STARTTLS on 587: -6
• Legacy auth exposed (CRAM-MD5, DIGEST-MD5): penalty

Throughput (submission max 12, relay max 14)

• PIPELINING: +4
• CHUNKING: +2
• SMTPUTF8: +2
• BINARYMIME: +1
• Message size ≥10 MB: +1
• Message size ≥25 MB: +1
• Message size ≥40 MB: +1

Diagnostics (submission max 8, relay max 10)

• ENHANCEDSTATUSCODES: +4
• DSN: +3
• 8BITMIME: +1
• VRFY exposed: -1

Performance (submission max 5, relay max 6)

• EHLO latency ≤400 ms: +5
• ≤900 ms: +4
• ≤1800 ms: +3
• ≤3000 ms: +2
• >3000 ms: +1

Cipher Posture (max 8 pts)

• TLS 1.3 support (inventory or negotiated): +3
• Modern AEAD evidence (TLS_AES_*, CHACHA20, GCM): +3
• No legacy cipher evidence: +2 (or +1 by negotiated cipher)

Confidence (0-100)

• Starts at 100, reduced for missing telemetry quality signals
• Penalties include DNSSEC timeout/indeterminate status
• Penalties include missing cipher inventory and single-sample runs
• Levels: high (≥85), medium (≥65), low (<65)

Letter grades are derived from the total score:

• A: 88-100
• B: 75-87
• C: 60-74
• D: 45-59
• F: below 45

Calibrated using 20 public SMTP endpoints on February 12, 2026. Optional extensions no longer dominate the grade.