What are the two parts of MTA-STS?

There is a DNS TXT record at _mta-sts that advertises a policy and a version id, plus a policy file served over HTTPS that defines the actual rules.

What does the MTA-STS mode control?

Mode can be enforce, testing, or none. In enforce mode, senders refuse delivery if TLS or the policy's MX list cannot be satisfied.

How does MTA-STS improve security?

It tells sending servers to require valid TLS for SMTP delivery, defending against downgrade attacks that would otherwise allow plaintext interception.

MTA-STS Check

Check a domain's MTA-STS record and policy file.

No results yet

Enter a domain above and press Run to start the check.

About the MTA-STS Check

MTA-STS Check inspects a domain's Mail Transfer Agent Strict Transport Security configuration, which enforces encrypted SMTP delivery. It reads the _mta-sts TXT record that signals policy availability and fetches the policy file served over HTTPS at mta-sts.yourdomain, which lists the allowed mail hosts and enforcement mode. MTA-STS protects mail in transit against downgrade and man-in-the-middle attacks.

How to use

Enter the domain whose MTA-STS setup you want to verify.
Run the check to read the _mta-sts TXT record.
Confirm the policy file at the mta-sts host lists the correct mx hosts and mode.

Frequently asked questions

What are the two parts of MTA-STS?: There is a DNS TXT record at _mta-sts that advertises a policy and a version id, plus a policy file served over HTTPS that defines the actual rules.
What does the MTA-STS mode control?: Mode can be enforce, testing, or none. In enforce mode, senders refuse delivery if TLS or the policy's MX list cannot be satisfied.
How does MTA-STS improve security?: It tells sending servers to require valid TLS for SMTP delivery, defending against downgrade attacks that would otherwise allow plaintext interception.

About the MTA-STS Check

How to use

Frequently asked questions

Related Email tools