Free MTA-STS Checker
Validate your MTA-STS DNS record, policy file, and TLS enforcement mode — ensuring your inbound email is protected against downgrade attacks.
Check Your MTA-STS Configuration
Enter your domain to check both the DNS record and the policy file hosted at your domain.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in RFC 8461 that enables domains to declare that they support TLS encryption for inbound email and that sending servers should refuse to deliver messages over unencrypted connections.
Without MTA-STS, email between servers can be intercepted through man-in-the-middle attacks that strip TLS encryption — even if both servers support it. This is called a TLS downgrade attack. MTA-STS prevents this by telling sending servers to require TLS and to validate the certificate.
MTA-STS has two components: a DNS TXT record at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
MTA-STS Policy Modes
enforce
Mail that cannot be delivered over a valid TLS connection is rejected. This is the strongest mode and provides maximum protection against downgrade attacks.
testing
TLS failures are reported via TLS-RPT but mail is still delivered. Ideal for initial deployment to identify issues before enforcing.
none
MTA-STS is effectively disabled. No TLS requirement is communicated to sending servers. Used to deactivate a previously published policy.
How MTA-STS Works
DNS Discovery
The sending server queries _mta-sts.yourdomain.com for a TXT record containing v=STSv1; id=20240101.
Policy Fetch
If the TXT record exists, the sender fetches the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over HTTPS.
TLS Enforcement
Based on the policy mode, the sender either enforces TLS (reject failures), reports failures (testing mode), or does nothing (none mode).
MX Validation
The policy file specifies which MX hosts are valid. The sender verifies that the MX server certificate matches one of the authorized hosts before delivering.
Complete your email security stack
MTA-STS protects inbound TLS. AutoSPF protects your outbound SPF — automatically flattening records to stay within the 10-lookup limit.
What Our Customers Say
"AutoSPF Flattens SPF Records Seamlessly & Keeps Changes Logged - I am quite pleased with the product"
It does what it promises to do, and does it very well. I appreciate that it keeps a log of changes made, which prevents many mistakes. A client's SPF record would have way too many lookups, but AutoSPF makes that problem go away. The length of the SPF record is typically not the issue; it's the amount of lookups in the record that are. AutoSPF "flattens" the record, automatically expanding the defined lookups to IP addresses or ranges. And it auto-updates the record when the un-flattened lookups change.
Peter J.
President · Small-Business (50 or fewer emp.)
"Helped us go beyond capacity"
AutoSPF did exactly as described, it helped us get past our 10 lookup limit. Afterwards, we hit another limit regarding overall capacity and when contacted, they quickly provided us with a new solution to eliminate capacity issues entirely going forward, so now we can add as many SPF records as needed. They also provided us with a personalized support video explaining their new method in its entirety using our instance as the example.
Verified User
Financial Services · Mid-Market (51-1000 emp.)