Hardenize has joined Red Sift! Find out more in our blog post.


Welcome to the Hardenize blog. This is where we will document our journey as we make the Internet a more secure place and have some fun and excitement along the way.

22 May

How We Test SMTP

by Ivan Ristić

When we set out to build Hardenize, one of our goals was to provide an almost-interactive experience, one where you don't have to wait for a long time to get useful results back. We thus spent a lot of time making Hardenize fast. Unfortunately, even though our tests are lightweight and going fast works for HTTP, the approach breaks completely in the SMTP land, where we were often being blocked. To fix that, we went back to the drawing board and completely redesigned how we test SMTP.

Our new approach is two-fold. When we encounter a SMTP server for the first time, we perform only a shallow test, which we can do quickly and which reduces the chance of being blocked. Even this test doesn't provide complete information, it's good enough to determine if a server is correctly configured.

The other part of our approach is to continuously perform slow SMTP tests in the background. Our assessments maintain a list of SMTP servers we need to look at, and we run a bunch of tests in the background and in parallel. These tests are not only slow, but we also make sure to avoid hitting servers belonging to the same service provider at the same time, taking into account both network addresses and the domain name.

The end result is that you may get shallow results initially, but on a subsequent visit you get complete results immediately from our cache. We continue to monitor SMTP servers in the background at varying frequency, depending on how often the results are needed.

Whatever the situation, our reports clearly indicate what type of results we're providing. If the results are cached, the timestamps are always included. For example, at Hardenize we use G Suite for our email. At the moment, we get complete results for our SMTP servers, and the email overview page indicates the range of timestamps, starting from the earliest SMTP test to the latest.

Notice that in this case there is a difference of about eight days. That's because Google have hundreds of servers (we've seen 254 so far); we check one of their servers, then pause for an hour before we go to their next server.

We understand that sometimes you may want the results quicker. Our customers can already do that because we know what domain names belong to them and we're able to go faster in those cases. For our public assessments, we're planning to provide a domain ownership verification feature in the future, which would enable you to give us permission to go faster for your own domain names. Stay tuned.