Enforce TLS encryption
without running a web server
MTA-STS requires hosting a policy file at a specific HTTPS endpoint. DMARC Report hosts it for you — preventing downgrade attacks and ensuring encrypted email delivery to your domain.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is defined in RFC 8461. It tells sending mail servers that your domain requires TLS-encrypted connections — and that they should refuse to deliver email if encryption cannot be established.
Without MTA-STS, email relies on opportunistic TLS — a sending server tries encryption but silently falls back to plaintext if it fails. This leaves your email vulnerable to man-in-the-middle and downgrade attacks.
- Prevents TLS downgrade attacks on inbound email
- Requires sending servers to verify your mail server certificates
- Works alongside DANE as a complementary encryption standard
- Adopted by Google, Microsoft, Yahoo, and other major providers
How downgrade attacks steal your email
Without MTA-STS, a man-in-the-middle can strip TLS from the connection, forcing email to travel in plaintext. MTA-STS makes this impossible.
Sender tries to establish TLS. If encryption negotiation succeeds, the email travels encrypted. But if something goes wrong, the server silently falls back to plaintext.
An attacker intercepts the connection and strips the STARTTLS command. The sending server thinks TLS is not available and delivers the email in plaintext — completely readable.
The sending server checks your MTA-STS policy before connecting. If TLS cannot be established or the certificate is invalid, the server refuses to deliver — the email is never sent in plaintext.
Three modes for every stage of deployment
Start with testing to monitor, move to enforce when ready, and use none if you need to temporarily disable the policy.
Report TLS failures but still deliver email. Use this mode when deploying MTA-STS for the first time so you can identify issues without blocking mail.
Reject email connections that cannot establish TLS. Receiving servers will refuse to deliver mail to your domain over an unencrypted channel.
Disable the MTA-STS policy. Receiving servers ignore the policy file and fall back to opportunistic TLS behavior.
Three steps to
MTA-STS deployment
No web server to configure, no certificates to manage, no infrastructure to maintain. Add your domain and we handle the rest.
Enter your domain in DMARC Report. We automatically detect your MX records and generate an MTA-STS policy file tailored to your mail infrastructure.
DMARC Report hosts the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid TLS certificate — no web server on your end.
Publish one TXT record at _mta-sts.yourdomain.com to activate the policy. We generate the exact record content for you to copy-paste.
Everything included with MTA-STS hosting
Hosted Policy File
We serve your MTA-STS policy at the required HTTPS endpoint. No web server, certificate, or infrastructure to maintain on your side.
Automatic Certificates
TLS certificates for the mta-sts subdomain are provisioned and renewed automatically. Zero maintenance on your part.
Policy Mode Switching
Move between testing, enforce, and none modes from the dashboard. Changes propagate immediately — no DNS edits required.
DNS Record Generation
We generate the exact _mta-sts TXT record you need. Copy-paste it into your DNS provider — no guesswork about formatting or versioning.
Monitoring Dashboard
Track policy fetch activity and see when receiving servers request your MTA-STS policy. Detect misconfigurations before they affect mail flow.
TLS-RPT Integration
Pair MTA-STS with TLS-RPT to receive reports when TLS connections fail. MTA-STS enforces, TLS-RPT reports.
Available on Shield and above
MTA-STS hosting is included in the Shield plan ($75/mo) and all higher tiers. No add-on fees, no per-domain charges for MTA-STS.
Also includes TLS-RPT monitoring, parked domain protection, and all core DMARC features.
Enforce email encryption today
Start your free trial — deploy MTA-STS in minutes with no infrastructure to manage.
Start Free TrialWhat Security Teams Say About DMARC Report
Rated 4.8/5 on G2 · 469 verified reviews
Verified User in Information Technology and Services
"Best security tool for your own domains"
The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.
Ryan C.
Director
"Control Centre for Email Security"
I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential.
eddy g.
Director
"A great solution to a common email problem."
I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email.