MTA-STS

MTA-STS Policy Checker

Validate your MTA-STS DNS record, fetch the policy file, and verify MX record alignment per RFC 8461.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is defined in RFC 8461. It allows mail service providers to declare their ability to receive TLS-secured SMTP connections and to specify whether sending servers should refuse to deliver to MX hosts that do not offer TLS with a trusted certificate. MTA-STS prevents downgrade attacks and certificate spoofing on email delivery.

MTA-STS requires two components: a DNS TXT record at _mta-sts.<domain> containing v=STSv1; id=<unique-id>, and a policy file hosted at https://mta-sts.<domain>/.well-known/mta-sts.txt. The policy file specifies the mode (enforce, testing, or none), MX host patterns, and a max_age lifetime in seconds.

Start with mode: testing to monitor for TLS issues via TLS-RPT reports, then transition to mode: enforce once you have confirmed TLS works correctly for all MX hosts. The recommended max_age is 604800 seconds (1 week).

Related Tools

TLS-RPT TLS-RPT Record Checker Receive reports on MTA-STS enforcement failures. DMARC DMARC Record Checker Validate policy and alignment settings. SPF SPF Record Checker Parse mechanisms and count DNS lookups.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free