What is “certificate mismatch”?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your IT team flagged a certificate mismatch. You're not sure what that means, or why your emails care about it. Here's the plain version.
When two mail servers connect to transfer an email, they use TLS encryption to secure the conversation. Part of that handshake involves the receiving server presenting a digital certificate, basically its way of saying "yes, I really am mail.example.com." The sending server checks whether the name on that certificate matches the hostname it actually connected to. If those two things don't match, that's a certificate mismatch.
Think of it like showing up to a meeting with a name badge that says the wrong company. The badge exists. It's real. But it doesn't match who you claimed to be when you booked the room.
Why does the name mismatch in the first place? A few common reasons:
- The wrong certificate got installed on the mail server (for example, a certificate issued for a web domain rather than the mail hostname).
- The mail hostname isn't listed in the certificate's Subject Alternative Names, which is the field that covers all the names a certificate is valid for.
- A load balancer or proxy in front of the mail server is presenting its own generic certificate instead of the one for your mail domain.
- A wildcard certificate (like
*.example.com) is being used, but the hostname has too many levels, since wildcards don't coversub.sub.example.com.
What actually happens to your email when there's a mismatch? It depends on how strict the sending server is. Strict TLS verification means the connection gets refused and the message bounces. Opportunistic TLS (which is more common) means the sending server might proceed anyway, but it logs the problem and the connection is no longer trustworthy. Neither outcome is good.
The fix almost always lives on the receiving side. Whoever runs that mail server needs to get the right certificate installed, one that actually covers the hostname being used. If you're the one running the server with the mismatch, that's a job for your hosting provider or IT team. If the mismatch is on a server you're trying to deliver to and you have no control over it, the honest answer is that there's not much you can do except document it and flag it as a known issue.
If this is blocking delivery right now and you're not sure where the mismatch is coming from, our SOS hotline is free and we're happy to help you trace it.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.