MX Records format updated for SSL/TLS certificate validation


The MX Records status in the Console may show an incorrect configuration even though the records have not changed. Mailprotector has implemented a new MX record format to meet the growing need for certificate validation across all protected domains using Mailprotector's secure email gateway.

Older MX record formats accept email but may not pass certificate validation checks. The status check is enforcing the new format to prevent protected domains from having inbound email deliverability issues in the future.

Certificate validation issue of old MX record hostnames

The old MX record format incorporates a domain verbatim into the Mailprotector MX hostname. This creates a subdomain structure that fails certificate validation on TLS-enforced email connections.


Mailprotector includes a wildcard certificate for *, and the other two top-level domain (TLD) variations. Shown in the yellow highlight above. However, the "dot" in the company domain name creates a subdomain structure that is viewed as *.* Shown in the red highlight above. There is no certificate for * Adding such a certificate would also require adding *, *, and any number of other TLDs.

Current MX record hostnames fix certificate issues

The currently recommended MX records incorporate a company's domain without creating a subdomain. The hostnames replace the "dot" with a "dash" to ensure the wildcard certificate validates all Mailprotector MX records.


The wildcard certificate is applied to *, and the other two TLD variations. Shown in the yellow highlight above. The company domain now uses a "dash" to delineate the TLD, preserving the certificate validation. Shown in the green highlight above.

IMPORTANT: The old MX record format is still supported by Mailprotector and accepts incoming emails. However, due to the certificate validation problems it can cause, the Console has been updated to indicate the MX records are incorrect.


If you have more questions about the MX records, please contact the Partner Success team.

Have more questions? Submit a request