MTA-STS Checker & Generator
Check your MTA-STS configuration or generate a new policy to enforce TLS encryption for inbound email.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that enables mail service providers to declare their ability to receive TLS-secured connections. It tells sending mail servers that they should only deliver email over encrypted (TLS) connections, preventing downgrade attacks and man-in-the-middle interception.
How MTA-STS Works
MTA-STS has two components that work together:
- DNS TXT Record at
_mta-sts.yourdomain.com— signals that MTA-STS is enabled and provides a policy ID for cache validation. - Policy File hosted at
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt— contains the actual policy including mode, authorized MX hosts, and cache duration.
Policy Modes
- testing — Sending servers report TLS failures but still deliver mail. Safe starting point.
- enforce — Sending servers must use TLS. Mail is not delivered if TLS fails. Maximum protection.
- none — Disables the policy. Used to decommission MTA-STS.
Example Policy File
version: STSv1 mode: enforce mx: mail.example.com mx: *.example.com max_age: 604800
MTA-STS and TLS-RPT
MTA-STS should be deployed alongside TLS-RPT (TLS Reporting). While MTA-STS enforces TLS, TLS-RPT provides daily reports about TLS connection successes and failures, giving you visibility into delivery issues. Use our TLS-RPT tool to set up reporting.
Why MTA-STS Matters
Without MTA-STS, email connections can be silently downgraded from TLS to unencrypted delivery through DNS spoofing or network manipulation. This exposes email content to interception. MTA-STS prevents this by requiring verified TLS connections between mail servers, complementing DMARC, SPF, and DKIM authentication.