Skip to main content
New SPF lookups must resolve in milliseconds — why a DMARC tool's add-on isn't enough Learn Why → →

Free MTA-STS Checker

Validate your MTA-STS DNS record, policy file, and TLS enforcement mode - ensuring your inbound email is protected against downgrade attacks.

No signup required - check any domain instantly

Check Your MTA-STS Configuration

Enter your domain to check both the DNS record and the policy file hosted at your domain.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in RFC 8461 that enables domains to declare that they support TLS encryption for inbound email and that sending servers should refuse to deliver messages over unencrypted connections.

Without MTA-STS, email between servers can be intercepted through man-in-the-middle attacks that strip TLS encryption - even if both servers support it. This is called a TLS downgrade attack. MTA-STS prevents this by telling sending servers to require TLS and to validate the certificate.

MTA-STS has two components: a DNS TXT record at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Policy Configuration

MTA-STS Policy Modes

enforce

Mail that cannot be delivered over a valid TLS connection is rejected. This is the strongest mode and provides maximum protection against downgrade attacks.

testing

TLS failures are reported via TLS-RPT but mail is still delivered. Ideal for initial deployment to identify issues before enforcing.

none

MTA-STS is effectively disabled. No TLS requirement is communicated to sending servers. Used to deactivate a previously published policy.

Step by Step

How MTA-STS Works

DNS Discovery

The sending server queries _mta-sts.yourdomain.com for a TXT record containing v=STSv1; id=20240101.

Policy Fetch

If the TXT record exists, the sender fetches the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over HTTPS.

TLS Enforcement

Based on the policy mode, the sender either enforces TLS (reject failures), reports failures (testing mode), or does nothing (none mode).

MX Validation

The policy file specifies which MX hosts are valid. The sender verifies that the MX server certificate matches one of the authorized hosts before delivering.

RFC 8461 Reference

MTA-STS is defined in RFC 8461 (September 2018). It complements RFC 8460 (SMTP TLS Reporting) which provides visibility into TLS connection failures.

Example MTA-STS policy file:

version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.com
max_age: 604800
Reading Your Results

Understanding Your MTA-STS Check

MTA-STS is unusual among email records because it lives in two places at once - a DNS record and a web-hosted policy file - and both have to agree. That's why most MTA-STS problems are configuration mismatches rather than missing records.

What the Checker Validates

A complete check confirms four things line up: the _mta-sts TXT record exists and carries a valid id, the policy file is reachable over HTTPS at mta-sts.yourdomain.com/.well-known/mta-sts.txt with a trusted certificate, the policy's mode is what you intend, and the mx hosts it lists actually match your published MX records. If any one is off, sending servers can't enforce your policy.

Common MTA-STS Failures

  • TXT record but no policy file. The DNS record points to a policy that isn't being served - senders fall back to no enforcement.
  • Policy file not over valid HTTPS. The mta-sts subdomain needs its own trusted TLS certificate; a self-signed or expired cert fails the fetch.
  • MX mismatch. The mx lines in the policy don't match your real MX hosts, so valid mail servers fail certificate validation.
  • Stuck in testing or none. The policy is published but not actually enforcing TLS.
  • Unchanged id. After editing the policy, the DNS record's id must change or senders keep the cached old version.

Deploying Safely: testing Before enforce

Roll MTA-STS out in stages. Publish with mode: testing first and pair it with TLS-RPT so you receive reports of any TLS failures without blocking mail. Once the reports are clean and your MX list is confirmed, switch to mode: enforce. Set a reasonable max_age (a week is common) so senders cache the policy but pick up changes within a sensible window.

MTA-STS and TLS-RPT Work Together

MTA-STS enforces encrypted delivery; TLS-RPT (RFC 8460) gives you the visibility to trust that enforcement. Without reporting you're enforcing blind - deploy both together so a broken certificate surfaces as a report instead of silently bounced mail.

Where MTA-STS Fits in Your Email Stack

MTA-STS secures inbound mail in transit, but it doesn't authenticate senders - that's the job of SPF, DKIM, and DMARC on the outbound side. Run the full domain authentication checker to see all of them at once, and keep your SPF record valid and under the 10-lookup limit with AutoSPF so the authentication half of your stack is as solid as the encryption half.

Complete your email security stack

MTA-STS protects inbound TLS. AutoSPF protects your outbound SPF - automatically flattening records to stay within the 10-lookup limit.

Rated 5/5 on G2 · Trusted since 2018

What Our Customers Say

"AutoSPF Flattens SPF Records Seamlessly & Keeps Changes Logged - I am quite pleased with the product"

It does what it promises to do, and does it very well. I appreciate that it keeps a log of changes made, which prevents many mistakes. A client's SPF record would have way too many lookups, but AutoSPF makes that problem go away. The length of the SPF record is typically not the issue; it's the amount of lookups in the record that are. AutoSPF "flattens" the record, automatically expanding the defined lookups to IP addresses or ranges. And it auto-updates the record when the un-flattened lookups change.
PJ

Peter J.

President · Small-Business (50 or fewer emp.)

"Helped us go beyond capacity"

AutoSPF did exactly as described, it helped us get past our 10 lookup limit. Afterwards, we hit another limit regarding overall capacity and when contacted, they quickly provided us with a new solution to eliminate capacity issues entirely going forward, so now we can add as many SPF records as needed. They also provided us with a personalized support video explaining their new method in its entirety using our instance as the example.
VU

Verified User

Financial Services · Mid-Market (51-1000 emp.)