Ensure emails are encrypted in transit, validate your MTA-STS policy instantly and fix configuration issues in seconds.
The MTA-STS Checker validates your domain's MTA-STS DNS record and HTTPS policy file, the two-part configuration that tells sending mail servers to use TLS when delivering mail to your domain.
MTA-STS (Mail Transfer Agent Strict Transport Security) protects inbound mail from downgrade and man-in-the-middle attacks by requiring encrypted SMTP connections to your MX hosts.
Confirm your domain publishes MTA-STS and that the policy file is reachable over HTTPS.
Verify the TXT record at _mta-sts and the policy file at mta-sts.yourdomain.com/.well-known/.
See which MX hosts are covered by your published policy mode and mx: directives.
Surface missing id= tags, inaccessible policy files, and invalid v=STSv1 records.
Type the root domain only, for example example.com, without http:// or a path.
The tool queries _mta-sts.yourdomain.com for the MTA-STS TXT record (v=STSv1).
It retrieves the HTTPS policy at mta-sts.yourdomain.com/.well-known/mta-sts.txt.
Read pass/fail rows for record validity, policy access, mode, MX entries, and errors.
MTA-STS requires both a DNS TXT record and a hosted HTTPS policy file. Both must be valid for senders to enforce TLS to your mail servers.
DNS TXT contains v=STSv1, the policy file loads over HTTPS, and no validation errors were found.
No MTA-STS DNS record at _mta-sts.yourdomain.com, TLS downgrade protection is not active.
A record or policy exists but has problems, inaccessible policy file, missing id=, or invalid mode.
testing mode logs TLS failures without blocking mail; enforce mode requires TLS for covered MX hosts.
Yes if the TXT record at _mta-sts contains v=STSv1.
Yes if the HTTPS policy file responds successfully.
The published location, typically https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
Policy enforcement level, testing (monitor) or enforce (require TLS).
Mail exchange patterns declared in the policy file that MTA-STS covers.
Whether the record is delegated to a third-party provider via CNAME.
Publish in testing mode first to monitor TLS compatibility before switching to enforce.
Update mx: entries whenever you add or change mail servers so all inbound routes are covered.
Set a lower max_age in the policy file while testing so senders pick up changes quickly.
Publish a TLS-RPT record to receive reports about TLS connection failures to your domain.
MTA-STS is a standard that lets domain owners publish a policy requiring senders to use TLS when delivering mail. It prevents opportunistic TLS downgrade attacks on inbound SMTP.
As a TXT record at _mta-sts.yourdomain.com containing v=STSv1 and an id= tag, plus an HTTPS policy file at mta-sts.yourdomain.com/.well-known/mta-sts.txt.
testing mode lets senders deliver mail even if TLS fails, useful for monitoring. enforce mode requires TLS for covered MX hosts or delivery may fail.
Common causes: missing HTTPS hosting at mta-sts.yourdomain.com, wrong file path, invalid TLS certificate, or DNS not yet propagated.
Yes. MTA-STS tells external senders they must use TLS, your server supporting TLS alone does not prevent downgrade attacks.
Your MTA-STS DNS is delegated via CNAME to a third-party provider that hosts the policy file for you.
After every DNS or policy file change, and during periodic security audits, especially before switching to enforce mode.
SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.