diff --git a/Cargo.lock b/Cargo.lock
index 670466b25..4c68ffae1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1029,7 +1029,7 @@ dependencies = [
  "heck 0.5.0",
  "proc-macro2",
  "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -8011,7 +8011,7 @@ checksum = "f65c489a7071a749c849713807783f70672b28094011623e200cb86dcb835953"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.114",
+ "syn 2.0.117",
 ]
 
 [[package]]
diff --git a/deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py b/deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py
index 4daa2ec96..90ea326ea 100644
--- a/deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py
+++ b/deltachat-rpc-client/src/deltachat_rpc_client/pytestplugin.py
@@ -358,4 +358,3 @@ def remote_bob_loop(channel):
             except Exception:
                 # some unserializable result
                 channel.send(None)
-
diff --git a/deltachat-rpc-client/tests/test_something.py b/deltachat-rpc-client/tests/test_something.py
index d21916bf2..059777996 100644
--- a/deltachat-rpc-client/tests/test_something.py
+++ b/deltachat-rpc-client/tests/test_something.py
@@ -1018,7 +1018,7 @@ def test_configured_imap_certificate_checks(acfactory):
     info = alice.get_info()
     domain = alice.get_config("addr").split("@")[-1]
     if domain.startswith("_"):
-        assert "cert_accept_invalid_certificates" in info.used_transport_settings
+        assert "cert_automatic" in info.used_transport_settings
     else:
         assert "cert_strict" in info.used_transport_settings
 
diff --git a/src/configure.rs b/src/configure.rs
index 51c47ab3a..1d478beb3 100644
--- a/src/configure.rs
+++ b/src/configure.rs
@@ -581,13 +581,7 @@ async fn get_configured_param(
         smtp_password,
         provider,
         certificate_checks: match param.certificate_checks {
-            EnteredCertificateChecks::Automatic => {
-                if param_domain.starts_with('_') {
-                    ConfiguredCertificateChecks::AcceptInvalidCertificates
-                } else {
-                    ConfiguredCertificateChecks::Automatic
-                }
-            }
+            EnteredCertificateChecks::Automatic => ConfiguredCertificateChecks::Automatic,
             EnteredCertificateChecks::Strict => ConfiguredCertificateChecks::Strict,
             EnteredCertificateChecks::AcceptInvalidCertificates
             | EnteredCertificateChecks::AcceptInvalidCertificates2 => {
diff --git a/src/peer_channels.rs b/src/peer_channels.rs
index 7dc9d2402..efb444579 100644
--- a/src/peer_channels.rs
+++ b/src/peer_channels.rs
@@ -247,7 +247,7 @@ impl Context {
         {
             // Underscore-prefixed domains use self-signed TLS certificates,
             // so we need to skip relay certificate verification for them.
-            let skip = relay_url.host_str().map_or(false, |h| h.starts_with('_'));
+            let skip = relay_url.host_str().is_some_and(|h| h.starts_with('_'));
             (RelayMode::Custom(RelayUrl::from(relay_url).into()), skip)
         } else {
             // FIXME: this should be RelayMode::Disabled instead.
diff --git a/src/qr.rs b/src/qr.rs
index 3fc6965c4..ec97e1d40 100644
--- a/src/qr.rs
+++ b/src/qr.rs
@@ -817,11 +817,6 @@ pub(crate) async fn login_param_from_account_qr(
         .context("Invalid DCACCOUNT scheme")?;
 
     if !payload.starts_with(HTTPS_SCHEME) {
-        let certificate_checks = if payload.starts_with('_') {
-            EnteredCertificateChecks::AcceptInvalidCertificates
-        } else {
-            EnteredCertificateChecks::Strict
-        };
         let rng = &mut rand::rngs::OsRng.unwrap_err();
         let username = Alphanumeric.sample_string(rng, 9);
         let addr = username + "@" + payload;
@@ -834,7 +829,7 @@ pub(crate) async fn login_param_from_account_qr(
                 ..Default::default()
             },
             smtp: Default::default(),
-            certificate_checks,
+            certificate_checks: EnteredCertificateChecks::Automatic,
             oauth2: false,
         };
         return Ok(param);
diff --git a/src/qr/qr_tests.rs b/src/qr/qr_tests.rs
index 82004cd2b..333834449 100644
--- a/src/qr/qr_tests.rs
+++ b/src/qr/qr_tests.rs
@@ -767,18 +767,22 @@ async fn test_decode_account_underscore_domain() -> Result<()> {
         }
     );
 
-    // Verify login params use AcceptInvalidCertificates for underscore domain.
+    // Verify login params use Automatic for underscore domain.
+    // The TLS layer handles underscore domains via NoCertificateVerification in Rustls.
     let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:_example.org").await?;
     assert!(param.addr.ends_with("@_example.org"));
     assert_eq!(
         param.certificate_checks,
-        EnteredCertificateChecks::AcceptInvalidCertificates
+        EnteredCertificateChecks::Automatic
     );
 
-    // Regular domain still uses Strict.
+    // Regular domain also uses Automatic.
     let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:example.org").await?;
     assert!(param.addr.ends_with("@example.org"));
-    assert_eq!(param.certificate_checks, EnteredCertificateChecks::Strict);
+    assert_eq!(
+        param.certificate_checks,
+        EnteredCertificateChecks::Automatic
+    );
 
     Ok(())
 }