Log In Start Free

MTA-STS Policy Checker

Validate your MTA-STS configuration by checking the DNS TXT record at _mta-sts.<domain>, fetching the policy file, and verifying MX record alignment. Ensure your domain enforces TLS encryption on inbound mail.

How MTA-STS Works

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that allows mail service providers to declare their ability to receive Transport Layer Security (TLS) secured SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted certificate. Defined in RFC 8461, MTA-STS prevents downgrade attacks and certificate spoofing on email delivery.

DNS Record Format

MTA-STS requires a TXT record at _mta-sts.<domain>. The record must contain two tags:

_mta-sts.example.com. IN TXT "v=STSv1; id=20240101T000000Z"
  • v=STSv1 — version identifier (must be exactly STSv1)
  • id= — a unique identifier for the policy version; change this value whenever you update the policy file so that senders know to re-fetch it

Policy File

The actual policy is a plain-text file hosted at a well-known HTTPS URL:

https://mta-sts.<domain>/.well-known/mta-sts.txt

The file must be served over HTTPS with a valid certificate. It contains line-separated key-value fields.

Policy Fields

Field Required Description
version Yes Must be STSv1
mode Yes One of enforce, testing, or none
mx Yes One or more MX host patterns (wildcards allowed, e.g. *.example.com). Repeat for each pattern.
max_age Yes Policy lifetime in seconds. Recommended: 604800 (1 week) to 31557600 (1 year).

Policy Modes

  • enforce — Sending servers MUST NOT deliver mail to MX hosts that fail TLS validation. This is the recommended production mode.
  • testing — Sending servers should still deliver mail on TLS failure, but report the failure via TLS-RPT. Use this when rolling out MTA-STS for the first time.
  • none — Indicates MTA-STS is explicitly disabled. Senders should treat the domain as if it has no MTA-STS policy.

Common Issues

  • Expired or stale policy — If the policy max_age has elapsed and the DNS record id hasn't changed, senders may stop enforcing TLS.
  • MX mismatch — The mx patterns in the policy file must match all MX records published in DNS. Unmatched MX hosts won't receive mail under enforce mode.
  • Testing mode for too long — Running in testing mode indefinitely provides no actual protection. Transition to enforce once you've verified TLS works correctly.
  • Missing HTTPS certificate — The policy file endpoint must serve a valid TLS certificate. Self-signed or expired certificates will cause senders to ignore the policy.
  • max_age too short — A value under 86400 (1 day) means senders must re-fetch the policy very frequently, increasing the risk of delivery failures during DNS outages.

Monitor Your MTA-STS Continuously

This tool performs a one-time check. For ongoing monitoring, TLS-RPT aggregate reports, and alerting when your MTA-STS policy breaks, sign up for DMARCguard — it's free to start.