MTA-STS Policy Generator
Generate the DNS TXT record and policy file needed to deploy MTA-STS (RFC 8461). MX records are auto-populated from DNS.
Failures are reported but mail is still delivered. Start here.
1 day. 86400 (1 day) is recommended for testing.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is defined in RFC 8461. It allows a receiving domain to declare that it supports TLS-secured SMTP connections and to instruct sending servers to refuse delivery when TLS cannot be established with a trusted certificate. This prevents downgrade attacks and certificate spoofing on email delivery.
Three Modes
| Mode | Behavior | When to Use |
|---|---|---|
testing | Failures are reported via TLS-RPT but mail is still delivered. | Start here. Monitor for issues before enforcing. |
enforce | TLS is required. Mail is not delivered without a valid TLS connection. | After confirming TLS works for all MX hosts. |
none | MTA-STS is effectively disabled. | To deactivate without removing the DNS record. |
Hosting Requirements
MTA-STS requires two components working together. First, a DNS TXT record at _mta-sts.<domain> with v=STSv1; id=<unique-id>. Second, a policy file hosted at https://mta-sts.<domain>/.well-known/mta-sts.txt served over HTTPS with a valid, trusted TLS certificate. The id value in the DNS record must be updated each time the policy file changes, as senders use it to detect updates.
For a complete walkthrough of MTA-STS deployment, see the MTA-STS learn page.
Read the complete MTA-STS guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free