Free tool

MTA-STS check.

Verify your MTA-STS policy to ensure inbound email is delivered over encrypted TLS connections and protected from downgrade attacks.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that tells sending mail servers to only deliver email to your domain over encrypted TLS connections. Without MTA-STS, an attacker can perform a downgrade attack — stripping TLS from the connection and intercepting email in transit.

How it works

MTA-STS requires two things: a DNS TXT record at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The policy file specifies which MX servers accept mail and whether TLS is enforced.

Policy modes

mode: testing — report failures but still deliver (safe starting point)
mode: enforce — reject delivery if TLS fails (full protection)
mode: none — disable the policy

Why it matters

SMTP was designed without encryption. Opportunistic TLS helps, but without MTA-STS, an attacker on the network path can strip TLS and read email in plaintext. MTA-STS closes this gap for inbound mail.

How to deploy MTA-STS

Step 1 Add the DNS TXT record

_mta-sts.yourdomain.com TXT "v=STSv1; id=20260127"

The id is a version identifier. Change it whenever you update the policy file.

Step 2 Host the policy file

version: STSv1
          mode: testing
          mx: mail.yourdomain.com
          max_age: 86400

Host this at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Start with mode: testing.

Step 3 Switch to enforce

After confirming no delivery issues in testing mode (check TLS-RPT reports), change mode: testing to mode: enforce and update the id in your DNS record.

Deploy MTA-STS with help

DNS Doctors can set up MTA-STS for your domain, host the policy file, and monitor enforcement status.

See pricing

Learn more

What is MTA-STS and why it matters SMTP downgrade attacks and MTA-STS