MTA-STS
MTA-STS
Check a domain's MTA Strict Transport Security DNS record and policy file — enforces TLS for inbound mail (RFC 8461).
Enter a domain above to check its MTA-STS configuration
About this tool
- What is MTA-STS?
- MTA Strict Transport Security (RFC 8461). A standard that tells sending mail servers to always use TLS when delivering to your domain and to reject delivery if a valid certificate cannot be verified. It prevents downgrade attacks on email in transit.
- What are the MTA-STS modes?
- 'enforce' means sending servers must use TLS or abort delivery. 'testing' means TLS is attempted but failures are only reported, not rejected — good for initial rollout. 'none' disables enforcement while keeping the record active.
- How does MTA-STS work?
- A DNS TXT record at _mta-sts.domain points to a policy file hosted at https://mta-sts.domain/.well-known/mta-sts.txt. Sending servers fetch this policy to learn which MX hostnames are valid and whether TLS is required.
- What is TLS-RPT and how does it relate?
- TLS Reporting (RFC 8460) is a companion standard. It tells sending servers where to send daily reports about TLS connection failures. Configure a TLS-RPT record alongside MTA-STS to monitor delivery issues.