diff --git a/cmd/root.go b/cmd/root.go
index 6e2ef4fd5..b8fee0f01 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -109,6 +109,8 @@ func init() {
 	rootCmd.Flags().StringVar(&config.WebhookURL, "webhook-url", config.WebhookURL, "Send a webhook request for new messages")
 	rootCmd.Flags().IntVar(&webhook.RateLimit, "webhook-limit", webhook.RateLimit, "Limit webhook requests per second")
 
+	rootCmd.Flags().BoolVar(&config.AllowUntrustedTLS, "allow-untrusted-tls", config.AllowUntrustedTLS, "Do not verify HTTPS certificates (link checker & screenshots)")
+
 	rootCmd.Flags().StringVarP(&config.SMTPCLITags, "tag", "t", config.SMTPCLITags, "Tag new messages matching filters")
 	rootCmd.Flags().BoolVarP(&logger.QuietLogging, "quiet", "q", logger.QuietLogging, "Quiet logging (errors only)")
 	rootCmd.Flags().BoolVarP(&logger.VerboseLogging, "verbose", "v", logger.VerboseLogging, "Verbose logging")
@@ -199,6 +201,9 @@ func initConfigFromEnv() {
 	if getEnabledFromEnv("MP_BLOCK_REMOTE_CSS_AND_FONTS") {
 		config.BlockRemoteCSSAndFonts = true
 	}
+	if getEnabledFromEnv("MP_ALLOW_UNTRUSTED_TLS") {
+		config.AllowUntrustedTLS = true
+	}
 	if getEnabledFromEnv("MP_QUIET") {
 		logger.QuietLogging = true
 	}
diff --git a/config/config.go b/config/config.go
index a908a1260..68ed16f18 100644
--- a/config/config.go
+++ b/config/config.go
@@ -101,6 +101,9 @@ var (
 	// ContentSecurityPolicy for HTTP server - set via VerifyConfig()
 	ContentSecurityPolicy string
 
+	// AllowUntrustedTLS allows untrusted HTTPS connections link checking & screenshot generation
+	AllowUntrustedTLS bool
+
 	// Version is the default application version, updated on release
 	Version = "dev"
 
diff --git a/internal/linkcheck/status.go b/internal/linkcheck/status.go
index 96ba90106..cc3f00451 100644
--- a/internal/linkcheck/status.go
+++ b/internal/linkcheck/status.go
@@ -1,6 +1,7 @@
 package linkcheck
 
 import (
+	"crypto/tls"
 	"net/http"
 	"regexp"
 	"sync"
@@ -59,8 +60,15 @@ func doHead(link string, followRedirects bool) (int, error) {
 
 	timeout := time.Duration(10 * time.Second)
 
+	tr := &http.Transport{}
+
+	if config.AllowUntrustedTLS {
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
 	client := http.Client{
-		Timeout: timeout,
+		Timeout:   timeout,
+		Transport: tr,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			if followRedirects {
 				return nil
diff --git a/server/handlers/proxy.go b/server/handlers/proxy.go
index afbaf8e41..010c4c434 100644
--- a/server/handlers/proxy.go
+++ b/server/handlers/proxy.go
@@ -2,6 +2,7 @@
 package handlers
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
@@ -31,8 +32,15 @@ func ProxyHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	tr := &http.Transport{}
+
+	if config.AllowUntrustedTLS {
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
 	client := &http.Client{
-		Timeout: 10 * time.Second,
+		Transport: tr,
+		Timeout:   10 * time.Second,
 	}
 
 	req, err := http.NewRequest("GET", uri, nil)