diff --git a/.travis.yml b/.travis.yml
index 46e9da8..1e4f551 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -14,4 +14,4 @@ notifications:
 services:
   - mongodb
 env:
-  - MONGO_URI=127.0.0.1:27017/test_db MONGO_USER=travis MONGO_PASS=test SMTP_HOST=127.0.0.1 SMTP_PORT=465 SMTP_TLS=true SMTP_USER=smtp_user SMTP_PASS=smtp_pass SENDER_NAME=Travis SENDER_EMAIL=travis@mailvelope.com
\ No newline at end of file
+  - MONGO_URI=127.0.0.1:27017/test_db MONGO_USER=travis MONGO_PASS=test SMTP_HOST=127.0.0.1 SMTP_PORT=465 SMTP_TLS=true SMTP_STARTTLS=true SMTP_USER=smtp_user SMTP_PASS=smtp_pass SENDER_NAME=Travis SENDER_EMAIL=travis@mailvelope.com
\ No newline at end of file
diff --git a/README.md b/README.md
index a4cc20f..467eb33 100644
--- a/README.md
+++ b/README.md
@@ -223,6 +223,7 @@ The `credentials.json` file can be used to configure a local development install
 * SMTP_HOST=127.0.0.1
 * SMTP_PORT=465
 * SMTP_TLS=true
+* SMTP_STARTTLS=true
 * SMTP_USER=smtp_user
 * SMTP_PASS=smtp_pass
 * SENDER_NAME="OpenPGP Key Server"
diff --git a/res/credentials.json b/res/credentials.json
index 0c3de75..8c6954d 100644
--- a/res/credentials.json
+++ b/res/credentials.json
@@ -8,6 +8,7 @@
     "host": "smtp.gmail.com",
     "port": "465",
     "tls": "true",
+    "starttls": "true",
     "user": "user@gmail.com",
     "pass": "password"
   },
diff --git a/src/app.js b/src/app.js
index 4926cf0..550e16b 100644
--- a/src/app.js
+++ b/src/app.js
@@ -104,7 +104,8 @@ function injectDependencies() {
   email.init({
     host: process.env.SMTP_HOST || credentials.smtp.host,
     port: process.env.SMTP_PORT || credentials.smtp.port,
-    secure: (process.env.SMTP_TLS || credentials.smtp.tls) === 'true',
+    tls: (process.env.SMTP_TLS || credentials.smtp.tls) === 'true',
+    starttls: (process.env.SMTP_STARTTLS || credentials.smtp.starttls) === 'true',
     auth: {
       user: process.env.SMTP_USER || credentials.smtp.user,
       pass: process.env.SMTP_PASS || credentials.smtp.pass
diff --git a/src/email/email.js b/src/email/email.js
index c732330..72737b1 100644
--- a/src/email/email.js
+++ b/src/email/email.js
@@ -35,20 +35,20 @@ class Email {
 
   /**
    * Create an instance of the reusable nodemailer SMTP transport.
-   * @param {string} host          SMTP server's hostname: 'smtp.gmail.com'
-   * @param {Object} auth          Auth credential: { user:'user@gmail.com', pass:'pass' }
-   * @param {Object} sender        message 'FROM' field: { name:'Your Support', email:'noreply@exmple.com' }
-   * @param {string} port          (optional) SMTP server's SMTP port. Defaults to 465.
-   * @param {boolean} secure       (optional) if TSL should be used. Defaults to true.
-   * @param {boolean} requireTLS   (optional) if TSL is mandatory. Defaults to true.
+   * @param {string}  host       SMTP server's hostname: 'smtp.gmail.com'
+   * @param {Object}  auth       Auth credential: { user:'user@gmail.com', pass:'pass' }
+   * @param {Object}  sender     message 'FROM' field: { name:'Your Support', email:'noreply@exmple.com' }
+   * @param {string}  port       (optional) SMTP server's SMTP port. Defaults to 465.
+   * @param {boolean} tls        (optional) if TSL should be used. Defaults to true.
+   * @param {boolean} starttls   (optional) force STARTTLS to prevent downgrade attack. Defaults to true.
    */
   init(options) {
     this._transport = this._mailer.createTransport({
       host: options.host,
       port: options.port || 465,
       auth: options.auth,
-      secure: (options.secure !== undefined) ? options.secure : true,
-      requireTLS: (options.secure !== undefined) ? options.secure : true
+      secure: (options.tls !== undefined) ? options.tls : true,
+      requireTLS: (options.starttls !== undefined) ? options.starttls : true,
     });
     this._sender = options.sender;
   }
diff --git a/test/integration/email-test.js b/test/integration/email-test.js
index d44b06b..f4b96b6 100644
--- a/test/integration/email-test.js
+++ b/test/integration/email-test.js
@@ -38,7 +38,8 @@ describe('Email Integration Tests', function() {
     email.init({
       host: process.env.SMTP_HOST || credentials.smtp.host,
       port: process.env.SMTP_PORT || credentials.smtp.port,
-      secure: (process.env.SMTP_TLS || credentials.smtp.tls) === 'true',
+      tls: (process.env.SMTP_TLS || credentials.smtp.tls) === 'true',
+      starttls: (process.env.SMTP_STARTTLS || credentials.smtp.starttls) === 'true',
       auth: {
         user: process.env.SMTP_USER || credentials.smtp.user,
         pass: process.env.SMTP_PASS || credentials.smtp.pass