MTA-STS Policy Checker
Validate your MTA-STS DNS record, fetch the policy file, and verify MX record alignment per RFC 8461.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is defined in RFC 8461. It allows mail service providers to declare their ability to receive TLS-secured SMTP connections and to specify whether sending servers should refuse to deliver to MX hosts that do not offer TLS with a trusted certificate. MTA-STS prevents downgrade attacks and certificate spoofing on email delivery.
MTA-STS requires two components: a DNS TXT record at _mta-sts.<domain> containing v=STSv1; id=<unique-id>, and a policy file hosted at https://mta-sts.<domain>/.well-known/mta-sts.txt. The policy file specifies the mode (enforce, testing, or none), MX host patterns, and a max_age lifetime in seconds.
Start with mode: testing to monitor for TLS issues via TLS-RPT reports, then transition to mode: enforce once you have confirmed TLS works correctly for all MX hosts. The recommended max_age is 604800 seconds (1 week).
Read the complete MTA-STS guide to learn more.
Frequently asked questions
How do I check my MTA-STS configuration?
Enter your domain. The checker reads the _mta-sts.<domain> TXT record, fetches the policy from https://mta-sts.<domain>/.well-known/mta-sts.txt, and verifies the mode, MX patterns, and that your published MX hosts match the policy per RFC 8461.
What does "MTA-STS policy is missing" mean?
The TXT record exists but the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt could not be fetched — usually a missing subdomain, an invalid TLS certificate on the mta-sts host, or a 404. Both the DNS record and the HTTPS policy file are required.
What is MTA-STS enforce vs testing mode?
testing mode reports TLS failures via TLS-RPT but still delivers if STARTTLS fails, letting you validate safely. enforce mode rejects delivery to any MX without a valid, matching certificate — the setting that prevents downgrade attacks. Start in testing, then switch to enforce.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free