---
title: "Free MTA-STS Checker | DMARC Report"
description: "Check MTA-STS configuration for any domain. Validate the DNS record, policy file, TLS enforcement mode, and authorized MX hosts with our free MTA-STS checker tool."
image: "https://dmarcreport.com/images/og-default.png"
canonical: "https://dmarcreport.com/tools/mta-sts-checker/"
---

## Check Your MTA-STS Configuration

Enter your domain to check both the DNS record and the policy file hosted at your domain.

## What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in [RFC 8461](https://www.rfc-editor.org/rfc/rfc8461) that enables domains to declare that they support TLS encryption for inbound email and that sending servers should refuse to deliver messages over unencrypted connections.

Without MTA-STS, email between servers can be intercepted through man-in-the-middle attacks that strip TLS encryption - even if both servers support it. This is called a TLS downgrade attack. MTA-STS prevents this by telling sending servers to require TLS and to validate the certificate.

MTA-STS has two components: a DNS TXT record at `_mta-sts.yourdomain.com` and a policy file hosted at `https://mta-sts.yourdomain.com/.well-known/mta-sts.txt`.

## MTA-STS Policy Modes

### enforce

Mail that cannot be delivered over a valid TLS connection is rejected. This is the strongest mode and provides maximum protection against downgrade attacks.

### testing

TLS failures are reported via TLS-RPT but mail is still delivered. Ideal for initial deployment to identify issues before enforcing.

### none

MTA-STS is effectively disabled. No TLS requirement is communicated to sending servers. Used to deactivate a previously published policy.

## How MTA-STS Works

### DNS Discovery

The sending server queries `_mta-sts.yourdomain.com` for a TXT record containing `v=STSv1; id=20240101`.

### Policy Fetch

If the TXT record exists, the sender fetches the policy file from `https://mta-sts.yourdomain.com/.well-known/mta-sts.txt` over HTTPS.

### TLS Enforcement

Based on the policy mode, the sender either enforces TLS (reject failures), reports failures (testing mode), or does nothing (none mode).

### MX Validation

The policy file specifies which MX hosts are valid. The sender verifies that the MX server certificate matches one of the authorized hosts before delivering.

## RFC 8461 Reference

MTA-STS is defined in [RFC 8461](https://www.rfc-editor.org/rfc/rfc8461) (September 2018). It complements [RFC 8460](https://www.rfc-editor.org/rfc/rfc8460) (SMTP TLS Reporting) which provides visibility into TLS connection failures.

Example MTA-STS policy file:

version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.com
max_age: 604800

## Complete your email security stack

MTA-STS protects inbound TLS. DMARC Report monitors your outbound SPF, DKIM, and DMARC authentication in one dashboard.

[Start Free Trial](https://app.dmarcreport.com/login)

## Enterprise-Grade Security

![G2 Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_Leader_Leader.png)

Rated 4.8/5 on G2 · 469 verified reviews

![G2 Momentum Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_MomentumLeader_Leader.png)

VU

Verified User in Information Technology and Services

5/5

### "Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022Verified on G2

RC

Ryan C.

Director

4.5/5

### "Control Centre for Email Security"

I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential.

8/29/2022Verified on G2

eg

eddy g.

Director

4.5/5

### "A great solution to a common email problem."

I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email.

8/29/2022Verified on G2

[Read all 469 reviews on G2 →](https://www.g2.com/products/dmarc-report/reviews)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"SoftwareApplication","name":"Free MTA-STS Checker","applicationCategory":"WebApplication","operatingSystem":"Web","description":"Check MTA-STS configuration for any domain. Validate the DNS record, policy file, TLS enforcement mode, and authorized MX hosts with our free MTA-STS checker tool.","url":"https://dmarcreport.com/tools/mta-sts-checker/","offers":{"@type":"Offer","price":"0","priceCurrency":"USD"},"provider":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1"}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Tools","item":"https://dmarcreport.com/tools/"},{"@type":"ListItem","position":3,"name":"MTA-STS Checker","item":"https://dmarcreport.com/tools/mta-sts-checker/"}]}
```