Skip to main content
New AI-powered DMARC analysis + open REST API See how →

Free MTA-STS Checker

Validate your MTA-STS DNS record, policy file, and TLS enforcement mode — ensuring your inbound email is protected against downgrade attacks.

No signup required — check any domain instantly

Check Your MTA-STS Configuration

Enter your domain to check both the DNS record and the policy file hosted at your domain.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in RFC 8461 that enables domains to declare that they support TLS encryption for inbound email and that sending servers should refuse to deliver messages over unencrypted connections.

Without MTA-STS, email between servers can be intercepted through man-in-the-middle attacks that strip TLS encryption — even if both servers support it. This is called a TLS downgrade attack. MTA-STS prevents this by telling sending servers to require TLS and to validate the certificate.

MTA-STS has two components: a DNS TXT record at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

MTA-STS Policy Modes

enforce

Mail that cannot be delivered over a valid TLS connection is rejected. This is the strongest mode and provides maximum protection against downgrade attacks.

testing

TLS failures are reported via TLS-RPT but mail is still delivered. Ideal for initial deployment to identify issues before enforcing.

none

MTA-STS is effectively disabled. No TLS requirement is communicated to sending servers. Used to deactivate a previously published policy.

How MTA-STS Works

DNS Discovery

The sending server queries _mta-sts.yourdomain.com for a TXT record containing v=STSv1; id=20240101.

Policy Fetch

If the TXT record exists, the sender fetches the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over HTTPS.

TLS Enforcement

Based on the policy mode, the sender either enforces TLS (reject failures), reports failures (testing mode), or does nothing (none mode).

MX Validation

The policy file specifies which MX hosts are valid. The sender verifies that the MX server certificate matches one of the authorized hosts before delivering.

RFC 8461 Reference

MTA-STS is defined in RFC 8461 (September 2018). It complements RFC 8460 (SMTP TLS Reporting) which provides visibility into TLS connection failures.

Example MTA-STS policy file:

version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.com
max_age: 604800

Complete your email security stack

MTA-STS protects inbound TLS. DMARC Report monitors your outbound SPF, DKIM, and DMARC authentication in one dashboard.

Start Free Trial

Enterprise-Grade Security

G2 Leader — DMARC

Rated 4.8/5 on G2 · 469 verified reviews

G2 Momentum Leader — DMARC
VU

Verified User in Information Technology and Services

5/5

"Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022 Verified on G2
RC

Ryan C.

Director

4.5/5

"Control Centre for Email Security"

I like that we can see and check all reports on just 1 platform. We manage multiple domains, and monitoring them all in one place is essential.

8/29/2022 Verified on G2
eg

eddy g.

Director

4.5/5

"A great solution to a common email problem."

I have been using them for the last month after my Google business email started giving DMARC errors. I didn't even know what it meant at that time. After a little googling I found that people can spoof it as well. So far so good — the best thing is it protects every email.

8/29/2022 Verified on G2
Read all 469 reviews on G2 →