I raised an issue via the FreecycleTech Forum and it became clear to me that nobody wanted to hear or try to understand what I had to say. You simply tried to repudiate anything I said which I found very disappointing.

I have decided to try and articulate more clearly with additional detail to justify the points I have tried unsuccessfully to raise with Deron and the Tech Team.

I believe the email configuration for is erroneous for the following reasons: has a single DNS MX record defined and that points to has a DNS A record that points to

If you view the certificate details on  you will see an expired certificate. or

Note: if you try to view this certificate using a browser you will need to use one that doesn’t redirect to which is a different server (hint: use Firefox with the NoScript Extension installed).

So, there are two issues here, firstly the certificate is expired and secondly, it’s invalid.

It expired at 23:59:59 on January 16, 2024.

As I mentioned above, there is only a single DNS MX record that points to which is defined in a DNS A record so that’s fine, only the certificate doesn’t match as cannot match with * (see RFC 1034) and hence is invalid.

You tried to tell me an inbound email should be going to which is an alias (i.e. DNS CNAME) of Well, I’m afraid that still doesn’t stack up as the alias isn’t referenced in the MX record and if it was it would be invalid as according to RFC 2181 it’s not acceptable to use an alias in an MX record.

I think it’s also worth pointing out that the certificate on the server has a key length of 4096 bits. This seems excessive to me for a server certificate and in my previous experience is likely to cause issues for some folks trying to connect to it. I noticed all your other server certificates I can see including the replacement for this certificate are all 2048 bit as I would expect.

Another point worthy of mention is the protocols enabled for the servers. Most of the servers have the following profile:

TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

While the server has the following profile (which I would suggest is suboptimal):

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

You tell me that you already have DMARC configured. Well, again I’d challenge that assertion as the way you have it configured is meaningless due to it having a policy defined as ‘none’.

You also tell me that MTA-STS is emerging and not a ratified standard. I guess that depends on what you mean by emerging. It’s been defined in RFC 8461 since 2018, is being advised by the UK Government and is being widely pushed by Google, Microsoft and most large email providers. Given your other issues, I can understand wanting to bury your head in the sand concerning MTA-STS.

Good luck, you’re going to need some.