Free Tool
MTA-STS Checker
Verify your domain's MTA-STS (Mail Transfer Agent Strict Transport Security) configuration. Check DNS records, policy files, and TLS-RPT reporting.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in RFC 8461. It allows domain owners to declare that their mail servers support TLS encryption and that sending servers should refuse to deliver email over unencrypted connections.
How MTA-STS Works
When a sending mail server wants to deliver email to your domain, it first checks for an MTA-STS DNS TXT record at _mta-sts.yourdomain.com. If found, it fetches the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
The policy file specifies which MX hosts are authorised, the enforcement mode (enforce, testing, or none), and how long the policy should be cached. In enforce mode, the sending server will refuse to deliver email if it cannot establish a valid TLS connection.
MTA-STS is complemented by TLS-RPT (TLS Reporting), which lets domain owners receive reports about TLS connection failures. This helps identify misconfigurations and potential downgrade attacks.
Why MTA-STS Matters
Prevents TLS downgrade and man-in-the-middle attacks on email
Ensures emails are always encrypted in transit to your domain
Complements DANE where DNSSEC is not deployed
Supported by Google, Microsoft, and other major email providers
MTA-STS Policy Modes
| Mode | Behaviour |
|---|---|
| enforce | Reject emails if TLS connection fails |
| testing | Report failures via TLS-RPT but still deliver |
| none | Policy disabled, no enforcement or reporting |
Automate MTA-STS checks with our API
Integrate MTA-STS validation into your workflow. Programmatically check MTA-STS records, monitor policy changes, and ensure your email transport security stays healthy.