EcosMail
FR ยท Security overview · April 18, 2026
External audits · measured, not proclaimed

Security is
measured.

Every score below comes from public, open-source tools. Each result is verifiable in one click — you don't have to take our word for it.

maximum
SSL Labs / Qualys
A+
TLS 1.3 · long HSTS · CAA policy
maximum
CryptCheck · Aeris FR
A+
AEAD ciphers + PFS exclusively
perfect
mail-tester.com
10/10
Flawless outbound deliverability
zero
Blacklight · The Markup
0
Trackers, third-party cookies, fingerprinting

Mail transport benchmark

internet.nl score — reference tool of the Dutch government (open source on GitHub). Measures MTA ↔ MTA hygiene.

Domain
Score
DNSSEC
DMARC / SPF / DKIM
RPKI
ecosmail.fr
88 %
✓ active
✓ complete
tuta.com
84 %
gmail.com
78 %
partial
orange.fr
69 %
proton.com
68 %
partial
laposte.net
66 %
posteo.de *
66 %
partial
outlook.com
64 %
partial
30-day target
≥ 95 %
Honest reading. This ranking only measures mail transport between servers (MTA hygiene, not client-side E2E). Proton and Tuta retain a lead on end-to-end encryption, openly tracked in our roadmap Phase 1b → 3 (Q1 to Q4 2027).
Measurements taken 2026-04-21 (ecosmail.fr: 2026-04-19). * posteo.de: receiving mail server temporarily unreachable during the scan (STARTTLS/DANE error), score may be underestimated.

Current state

What is validated, what is in progress, what is honestly deferred.

Validated
TLS / Ciphers A+ Hardened HTTP headers DMARC · p=reject MTA-STS published DNSSEC · fully validated Zero tracker, zero cookie security.txt RFC 9116
In progress
DANE · DNS migration (IONOS lacks TLSA) CSP refactor · inline JS IPv6 · blocked by IONOS BIMI · planned Q3 2026
Roadmap
E2E Phase 1a delivered E2E Phase 1b · Q1 2027 FR pentest · audit-friendly CSA STAR L1 · Q3 2026 Europrivacy / ISO 27001 · 2027+

External audit matrix

10 independent tools, all public or open-source. Each card is clickable to re-run the test.

SSL Labs
Qualys · industry reference
A+
TLS 1.3, long-duration HSTS, CAA policy. Maximum grade.
CryptCheck
Aeris · French open-source firm
A+
AEAD ciphers with PFS exclusively (ECDHE-ECDSA-AES-GCM, ChaCha20). No weak ciphers.
mail-tester.com
Outbound deliverability
10 / 10
SpamAssassin OK, SPF+DKIM+DMARC validated, no blocklist, clean format.
Blacklight
The Markup · privacy
0 / 0
No ad trackers, third-party cookies, fingerprinting, social-media pixels, or Google Analytics.
Hardenize
Panoramic view
Passing
All sections green. One HSTS Chromium-preload warning (decision deferred).
MXToolbox
DNS / MX / DMARC
MX + DMARC OK
MX record published, DMARC in reject mode. BIMI warning — planned Q3 2026.
Mozilla Observatory
Web best practices
80 / 100 · B
9/10 tests passed. CSP 'unsafe-inline' — refactor planned Q2 2026.
internet.nl Mail
Dutch gov. · MTA
88 %
Updated 19/04 after DNSSEC activation (+16 pts). DNSSEC ✓, DMARC/DKIM/SPF ✓, RPKI ✓. Remaining: IPv6 (IONOS blocker) and DANE (IONOS blocker: no TLSA in panel). Target 95%+ after unblocking.
internet.nl Web
Dutch gov. · HTTPS
86 %
Updated 19/04 after DNSSEC activation (+20 pts). DNSSEC ✓, HTTPS ✓, RPKI ✓. Remaining: IPv6 (IONOS blocker) and a «security options» warning (CSP refactor planned Q2). Target ≥ 90%.
Webbkoll
Dataskydd · Sweden
9/11 PASS
HTTPS + HSTS + Referrer + 0 cookies validated. CSP 9/11 — 2 fails on inline (refactor Q2).
securityheaders.com
HTTP headers
A+ expected
To re-test after April 18 header deployment + reverse-proxy duplicate removal.
DNSViz / Verisign
DNSSEC · chain + DS
fully validated
Complete chain root → .fr → ecosmail.fr. DS 39605/RSASHA256 published at AFNIC. DANE TLSA blocked by IONOS (no TLSA support in panel) — DNS migration under review.

Fix changelog

Every technical delivery updates this page. Public traceability.

2026-04-19
DNSSEC activated for ecosmail.fr. Full chain of trust root → .fr → ecosmail.fr, DS 39605/SHA-256 published at AFNIC, strict validation confirmed by Verisign DNSSEC Analyzer and delv (; fully validated). Impact on internet.nl scores: Mail 72 % → 88 % (+16 pts, 13:10 UTC) and Web 66 % → 86 % (+20 pts, 14:01 UTC). Remaining IONOS blockers: IPv6 (AAAA pending) and DANE TLSA (DNS panel without TLSA support). Source · Verisign DNSSEC Analyzer, DNSViz, internet.nl Mail, internet.nl Web
2026-04-18
Hardened Referrer-Policy (no-referrer) + CSP default-src 'none' (deny by default). Source · Webbkoll, Mozilla Observatory
2026-04-18
mta-sts.ecosmail.fr routing fixed — the subdomain was receiving an invalid certificate via the upstream proxy, repointed to main infrastructure. Source · Hardenize HSTS includeSubDomains
2026-04-18
security.txt RFC 9116 published at /.well-known/security.txt (contact security@, expires 2027-04-18). Source · internet.nl Web
2026-04-18
Postfix cipher hardening (excluded DES/RC4/3DES/SHA1, AEAD-only), hardened HTTP headers (HSTS preload-ready, CSP+, COOP/CORP), removed reverse-proxy duplicates, server version masking. Source · internet.nl, SSL Labs, Mozilla Observatory, Hardenize
2026-04-03
Fail2ban activated on postfix-sasl and dovecot-auth. Source · internal logs
2026-03-31
DMARC moved to p=reject (previously quarantine). Source · internet.nl Mail
2026-03-29
MTA-STS enforce mode + TLS-RPT published. Source · Hardenize Mail
Verify in 5 minutes
Don't trust us. Test us.
Every tool listed is public and free. If any result seems inconsistent with what we display, write to us — we will fix or explain.
Run internet.nl security@ecosmail.fr