Support The Network

Security Tools

If your Home Assistant instance is externally accessible, the SSL certificate on that domain should be valid, not expired, and covering the right hostname. If your automations send email notifications, those emails should be passing SPF, DKIM, and DMARC checks, or they will end up in spam before you know something went wrong.

These two tools cover both scenarios. No account needed, no data stored.

SSL Certificate Checker

Check your HA reverse proxy domain, your Nabu Casa or DuckDNS subdomain, or any third-party service you rely on. This tool shows you the certificate issuer, expiry date, the hostname it was issued for, and whether the chain is valid. Common reasons to run a check: you just renewed a certificate and want to confirm it went live, you set up a new reverse proxy and want to verify the cert end to end, or you want to know how many days remain before a cert expires.

What to look for in the results: the issuer should be a recognised CA (Let’s Encrypt, ZeroSSL, DigiCert). Flag anything expiring within 30 days. The hostname in the cert should match the domain you are checking. The chain should resolve to a trusted root CA.

SSL Certificate Checker

Check expiry, issuer, hostname match, and certificate chain

Free

Email Header Analyser

Paste full email headers to see how your message was routed, whether it passed authentication, and where any delivery issues occurred. Useful for diagnosing why HA notification emails are landing in spam, or for investigating a suspicious email.

What the analyser tells you: SPF result (was the sending IP authorised), DKIM result (is the message signature valid), DMARC result (did it pass the combined policy check), routing hops with timestamps, and where any delivery delay occurred.

What to look for if you think an email is fake: check the From header against the actual sending server in the Received chain. A spoofed email typically shows a recognisable From address but a completely unrelated sending IP that fails SPF. DKIM absent or failing alongside an SPF fail is a strong indicator the message did not originate from the claimed domain.

How to get your full email headers:

  • Gmail: Open the email, click the three-dot menu top right, select Show original
  • Apple Mail: Open the email, go to View → Message → All Headers
  • Outlook (web): Open the email, click the three-dot menu, select View → View message source
  • Thunderbird: Open the email, go to View → Headers → All, or More → View Source
  • Proton Mail: Open the email, click the three-dot menu, select View headers

Email Header Analyser

Paste raw email headers to trace routing, check authentication, and spot spoofing

Free
In Gmail: open the email, click the three-dot menu, select “Show original” and copy the headers. In Apple Mail: View → Message → All Headers. In Outlook: File → Properties → Internet headers.

Found this useful? These tools are free and always will be. If they helped you diagnose something faster, consider supporting the network.

Support the Network →