How to Fix SSL/TLS Certificate Errors in Email Clients
SSL certificate errors in Outlook, Thunderbird, Apple Mail, or mobile apps block your email from connecting. Learn what causes them and how to fix each type quickly.
If your email client shows a warning like "The SSL certificate cannot be verified" or "Certificate name mismatch", it means the secure connection between your email client and mail server has a problem. These errors must be resolved — ignoring them or clicking "Accept Anyway" can expose your credentials to interception.
Common SSL/TLS Certificate Errors
1. Certificate Name Mismatch (SEC_ERROR_BAD_CERT_DOMAIN)
What it means: The name on the SSL certificate doesn't match the server address you configured. For example, your host issued a certificate for mail.yourhostingserver.com but you're connecting to mail.yourdomain.com.
Fix: In your email client settings, change the incoming/outgoing server address to match the certificate name exactly. Your hosting provider's welcome email or control panel usually lists the correct server name to use.
2. Certificate Expired
What it means: SSL certificates have an expiry date (usually 90 days to 1 year). After they expire, clients refuse to connect.
Fix for users: Contact your hosting provider or email administrator — they need to renew the certificate. You cannot fix an expired certificate yourself as a user.
Fix for hosting admins: Renew or reissue the SSL certificate in your control panel (cPanel → SSL/TLS → Manage SSL sites, or use Let's Encrypt for free renewal).
3. Untrusted Certificate (Self-Signed)
What it means: The server uses a self-signed certificate — one it created itself rather than one issued by a trusted Certificate Authority (CA). Email clients don't trust these by default.
Fix: Ask your hosting provider to install a proper CA-signed certificate. For most hosting plans, Let's Encrypt provides free, automatically-renewing SSL certificates. Alternatively, use the hosting provider's own server name (see fix #1).
4. SSL Handshake Failed / Connection Timed Out
What it means: The client and server could not agree on an encryption method, or the connection was blocked before the handshake could complete.
Fix:
- Verify you're using the correct port: 993 for IMAP with SSL, 587 for SMTP with STARTTLS, or 465 for SMTP with SSL
- Make sure the encryption setting (SSL/TLS vs STARTTLS) matches the port you chose
- Check if your antivirus or firewall is intercepting the SSL connection — temporarily disable SSL scanning and test
Correct Port and Encryption Combinations
| Protocol | Port | Encryption |
|---|---|---|
| IMAP (incoming) | 993 | SSL/TLS |
| IMAP (incoming) | 143 | STARTTLS |
| POP3 (incoming) | 995 | SSL/TLS |
| SMTP (outgoing) | 587 | STARTTLS |
| SMTP (outgoing) | 465 | SSL/TLS |
Fix SSL Errors in Specific Email Clients
Microsoft Outlook
- Go to File → Account Settings → Account Settings
- Select your account and click Change
- Click More Settings → Advanced
- Adjust the server ports and encryption type to match the table above
- Click OK and test the connection
Mozilla Thunderbird
- Go to Tools → Account Settings
- Select Server Settings (for incoming) or Outgoing Server (SMTP)
- Update the Connection Security and port to correct values
- Click OK and try connecting
iPhone / iPad (iOS Mail)
- Go to Settings → Mail → Accounts
- Tap your account → Account → Advanced
- Verify Use SSL is ON and the port is correct
- Go back and tap Done
When to Contact Your Hosting Provider
If you've corrected your email client settings and still see SSL errors, the problem is on the server side. Contact your hosting provider and report:
- The exact error message
- Your domain name and the mail server address you're using
- The email client you're using
Most hosting providers can fix SSL certificate issues within a few hours.