MTA-STS Checker

Built for operators & agencies
Live DNS - no cached APIs
No login required
No data retention
Privacy first diagnostics
Prevents blacklisting - not causes it

Check if your domain has MTA-STS configured to force TLS encryption on inbound email.

Enter your domain without https:// or www.

search Run Full Domain Check

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) forces email servers to use TLS when sending to your domain. Without it, a man-in-the-middle attacker could potentially downgrade connections and intercept email in transit. It's defined in RFC 8461.

How MTA-STS works

  1. A sending mail server queries _mta-sts.yourdomain.com for a TXT record indicating a policy exists.
  2. The sending server fetches the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
  3. The policy tells the sender which MX servers are valid and whether to enforce TLS.
  4. If the TLS connection cannot be established, the behavior depends on the mode: enforce rejects, testing reports only.

MTA-STS modes

  • enforce - TLS must be used. Mail is rejected if TLS fails. Use once you've verified setup is correct.
  • testing - TLS failures are reported (via TLS-RPT) but not enforced. Good for rollout.
  • none - policy exists but MTA-STS is disabled.

How to set up MTA-STS

  1. Create a subdomain mta-sts.yourdomain.com with HTTPS and a valid TLS certificate.
  2. Serve the policy file at /.well-known/mta-sts.txt with content like:
    version: STSv1
mode: testing
mx: mail.yourdomain.com
max_age: 86400
  3. Add a TXT record at _mta-sts.yourdomain.com: v=STSv1; id=20240101000000
  4. Optionally set up TLS-RPT to receive reports: TXT at _smtp._tls.yourdomain.com: v=TLSRPTv1; rua=mailto:[email protected]
  5. After validating in testing mode, switch to mode: enforce and update the policy id.

FAQ

Is MTA-STS required for good deliverability?

MTA-STS is not required for inbox placement, but it's a security best practice. Gmail and other major providers support it. For high-security senders, it's worth implementing alongside DMARC.

What is TLS-RPT?

TLS-RPT (TLS Reporting) is a companion standard to MTA-STS. It lets you receive daily reports when TLS negotiation fails for inbound connections. It helps identify misconfigured mail servers before you switch to enforce mode.

Does MTA-STS protect outbound email?

MTA-STS only protects inbound email - connections from other mail servers to yours. For outbound security, you need SPF, DKIM, and DMARC.

Check your full email security posture:

plagiarism Free Domain Check tab_recent Analyze DMARC dns DNS TXT Lookup