MTA-STS is unusual among email records because it lives in two places at once - a DNS record and a web-hosted policy file - and both have to agree. That's why most MTA-STS problems are configuration mismatches rather than missing records.
What the Checker Validates
A complete check confirms four things line up: the _mta-sts TXT record exists and carries a valid id, the policy file is reachable over HTTPS at mta-sts.yourdomain.com/.well-known/mta-sts.txt with a trusted certificate, the policy's mode is what you intend, and the mx hosts it lists actually match your published MX records. If any one is off, sending servers can't enforce your policy.
Common MTA-STS Failures
- TXT record but no policy file. The DNS record points to a policy that isn't being served - senders fall back to no enforcement.
- Policy file not over valid HTTPS. The
mta-stssubdomain needs its own trusted TLS certificate; a self-signed or expired cert fails the fetch. - MX mismatch. The
mxlines in the policy don't match your real MX hosts, so valid mail servers fail certificate validation. - Stuck in
testingornone. The policy is published but not actually enforcing TLS. - Unchanged
id. After editing the policy, the DNS record'sidmust change or senders keep the cached old version.
Deploying Safely: testing Before enforce
Roll MTA-STS out in stages. Publish with mode: testing first and pair it with TLS-RPT so you receive reports of any TLS failures without blocking mail. Once the reports are clean and your MX list is confirmed, switch to mode: enforce. Set a reasonable max_age (a week is common) so senders cache the policy but pick up changes within a sensible window.
MTA-STS and TLS-RPT Work Together
MTA-STS enforces encrypted delivery; TLS-RPT (RFC 8460) gives you the visibility to trust that enforcement. Without reporting you're enforcing blind - deploy both together so a broken certificate surfaces as a report instead of silently bounced mail.
Where MTA-STS Fits in Your Email Stack
MTA-STS secures inbound mail in transit, but it doesn't authenticate senders - that's the job of SPF, DKIM, and DMARC on the outbound side. Run the full domain authentication checker to see all of them at once, and keep your SPF record valid and under the 10-lookup limit with AutoSPF so the authentication half of your stack is as solid as the encryption half.