---
title: "MTA-STS Hosting - Enforce TLS Encryption on Email Delivery | DMARC Report"
description: "DMARC Report hosts your MTA-STS policy file so receiving mail servers enforce TLS encryption. No separate web server needed. Prevent downgrade attacks and ensure encrypted email delivery."
image: "https://dmarcreport.com/images/og-default.png"
canonical: "https://dmarcreport.com/mta-sts-hosting/"
---

Email Encryption 

# Enforce TLS encryption  
without running a web server 

MTA-STS requires hosting a policy file at a specific HTTPS endpoint. DMARC Report hosts it for you - preventing downgrade attacks and ensuring encrypted email delivery to your domain.

[ Start Free Trial → ](https://app.dmarcreport.com/) [View Pricing](/pricing/) 

The Standard 

## What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is defined in **RFC 8461**. It tells sending mail servers that your domain requires TLS-encrypted connections - and that they should refuse to deliver email if encryption cannot be established.

Without MTA-STS, email relies on opportunistic TLS - a sending server _tries_ encryption but silently falls back to plaintext if it fails. This leaves your email vulnerable to man-in-the-middle and downgrade attacks.

- Prevents TLS downgrade attacks on inbound email
- Requires sending servers to verify your mail server certificates
- Works alongside DANE as a complementary encryption standard
- Adopted by Google, Microsoft, Yahoo, and other major providers

https://mta-sts.example.com/.well-known/mta-sts.txt 

version: STSv1 

mode: enforce 

mx: mail.example.com 

mx: \*.example.com 

max\_age: 604800 

Valid TLS certificate • Hosted by DMARC Report 

The Problem 

## How downgrade attacks steal your email

Without MTA-STS, a man-in-the-middle can strip TLS from the connection, forcing email to travel in plaintext. MTA-STS makes this impossible.

Normal

Opportunistic TLS

Sender tries to establish TLS. If encryption negotiation succeeds, the email travels encrypted. But if something goes wrong, the server silently falls back to plaintext.

 Encrypted if possible 

Under Attack

TLS Stripped

An attacker intercepts the connection and strips the STARTTLS command. The sending server thinks TLS is not available and delivers the email in plaintext - completely readable.

 Plaintext - exposed 

With MTA-STS

TLS Enforced

The sending server checks your MTA-STS policy before connecting. If TLS cannot be established or the certificate is invalid, the server refuses to deliver - the email is never sent in plaintext.

 Always encrypted 

Policy Modes 

## Three modes for every stage of deployment

Start with testing to monitor, move to enforce when ready, and use none if you need to temporarily disable the policy.

Testing

mode: testing

Report TLS failures but still deliver email. Use this mode when deploying MTA-STS for the first time so you can identify issues without blocking mail.

First deployment - monitor before enforcing

Enforce

mode: enforce

Reject email connections that cannot establish TLS. Receiving servers will refuse to deliver mail to your domain over an unencrypted channel.

Production - after verifying no delivery issues

None

mode: none

Disable the MTA-STS policy. Receiving servers ignore the policy file and fall back to opportunistic TLS behavior.

Temporarily disabling - troubleshooting or migration

How It Works 

## Three steps to  
MTA-STS deployment

No web server to configure, no certificates to manage, no infrastructure to maintain. Add your domain and we handle the rest.

1

Add your domain

Enter your domain in DMARC Report. We automatically detect your MX records and generate an MTA-STS policy file tailored to your mail infrastructure.

2

We host the policy file

DMARC Report hosts the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid TLS certificate - no web server on your end.

3

Add the DNS TXT record

Publish one TXT record at \_mta-sts.yourdomain.com to activate the policy. We generate the exact record content for you to copy-paste.

DNS TXT Record 

Required DNS Record

Host

\_mta-sts.yourdomain.com

Type

TXT

Value

v=STSv1; id=20240101T000000Z

The id value changes when you update the policy mode 

What You Get 

## Everything included with MTA-STS hosting

### Hosted Policy File

We serve your MTA-STS policy at the required HTTPS endpoint. No web server, certificate, or infrastructure to maintain on your side.

### Automatic Certificates

TLS certificates for the mta-sts subdomain are provisioned and renewed automatically. Zero maintenance on your part.

### Policy Mode Switching

Move between testing, enforce, and none modes from the dashboard. Changes propagate immediately - no DNS edits required.

### DNS Record Generation

We generate the exact \_mta-sts TXT record you need. Copy-paste it into your DNS provider - no guesswork about formatting or versioning.

### Monitoring Dashboard

Track policy fetch activity and see when receiving servers request your MTA-STS policy. Detect misconfigurations before they affect mail flow.

### TLS-RPT Integration

Pair MTA-STS with TLS-RPT to receive reports when TLS connections fail. MTA-STS enforces, TLS-RPT reports.

Availability 

## Available on Shield and above

MTA-STS hosting is included in the **Shield plan ($75/mo)** and all higher tiers. No add-on fees, no per-domain charges for MTA-STS.

Also includes TLS-RPT monitoring, parked domain protection, and all core DMARC features.

[ View Pricing → ](/pricing/) [Learn about TLS-RPT monitoring → ](/tls-rpt/) 

## Enforce email encryption today

Start your free trial - deploy MTA-STS in minutes with no infrastructure to manage.

[Start Free Trial](https://app.dmarcreport.com/)

## What Security Teams Say About DMARC Report

![G2 Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_Leader_Leader.png)

Rated 4.8/5 on G2 · 469 verified reviews

![G2 Momentum Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_MomentumLeader_Leader.png)

VU

Verified User in Information Technology and Services

5/5

### "Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022Verified on G2

RC

Ryan C.

Director

4.5/5

### "Control Centre for Email Security"

I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential.

8/29/2022Verified on G2

eg

eddy g.

Director

4.5/5

### "A great solution to a common email problem."

I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email.

8/29/2022Verified on G2

[Read all 469 reviews on G2 →](https://www.g2.com/products/dmarc-report/reviews)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"WebPage","name":"MTA-STS Hosting - Enforce TLS Encryption on Email Delivery | DMARC Report","description":"DMARC Report hosts your MTA-STS policy file so receiving mail servers enforce TLS encryption. No separate web server needed. Prevent downgrade attacks and ensure encrypted email delivery.","url":"https://dmarcreport.com/mta-sts-hosting/","isPartOf":{"@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com"}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Features","item":"https://dmarcreport.com/features/"},{"@type":"ListItem","position":3,"name":"MTA-STS Hosting","item":"https://dmarcreport.com/mta-sts-hosting/"}]}
```