What is “certificate mismatch”?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Your IT team flagged a certificate mismatch. You're not sure what that means, or why your emails care about it. Here's the plain version.

When two mail servers connect to transfer an email, they use TLS encryption to secure the conversation. Part of that handshake involves the receiving server presenting a digital certificate, basically its way of saying "yes, I really am mail.example.com." The sending server checks whether the name on that certificate matches the hostname it actually connected to. If those two things don't match, that's a certificate mismatch.

Think of it like showing up to a meeting with a name badge that says the wrong company. The badge exists. It's real. But it doesn't match who you claimed to be when you booked the room.

Why does the name mismatch in the first place? A few common reasons:

  • The wrong certificate got installed on the mail server (for example, a certificate issued for a web domain rather than the mail hostname).
  • The mail hostname isn't listed in the certificate's Subject Alternative Names, which is the field that covers all the names a certificate is valid for.
  • A load balancer or proxy in front of the mail server is presenting its own generic certificate instead of the one for your mail domain.
  • A wildcard certificate (like *.example.com) is being used, but the hostname has too many levels, since wildcards don't cover sub.sub.example.com.

What actually happens to your email when there's a mismatch? It depends on how strict the sending server is. Strict TLS verification means the connection gets refused and the message bounces. Opportunistic TLS (which is more common) means the sending server might proceed anyway, but it logs the problem and the connection is no longer trustworthy. Neither outcome is good.

The fix almost always lives on the receiving side. Whoever runs that mail server needs to get the right certificate installed, one that actually covers the hostname being used. If you're the one running the server with the mismatch, that's a job for your hosting provider or IT team. If the mismatch is on a server you're trying to deliver to and you have no control over it, the honest answer is that there's not much you can do except document it and flag it as a known issue.

If this is blocking delivery right now and you're not sure where the mismatch is coming from, our SOS hotline is free and we're happy to help you trace it.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Diagnose my certificate mismatch

I'm dealing with a certificate mismatch error on my email setup. Based on my situation, can you tell me: (1) what specific hostname and certificate name are likely conflicting, (2) whether this is causing hard bounces or just opportunistic TLS fallback, and (3) what steps I should take to resolve it? Here are my details:

Edit the yellow boxes, then send to the AI of your choice.