MTA-STS & TLS-RPT

MTA-STS record checker

Ensure emails are encrypted in transit, validate your MTA-STS policy instantly and fix configuration issues in seconds.

Please enter a valid domain name, without http:// prefix.

About

The MTA-STS Checker validates your domain's MTA-STS DNS record and HTTPS policy file, the two-part configuration that tells sending mail servers to use TLS when delivering mail to your domain.

MTA-STS (Mail Transfer Agent Strict Transport Security) protects inbound mail from downgrade and man-in-the-middle attacks by requiring encrypted SMTP connections to your MX hosts.

TLS enforcement check

Confirm your domain publishes MTA-STS and that the policy file is reachable over HTTPS.

DNS & policy validation

Verify the TXT record at _mta-sts and the policy file at mta-sts.yourdomain.com/.well-known/.

MX pattern review

See which MX hosts are covered by your published policy mode and mx: directives.

Error detection

Surface missing id= tags, inaccessible policy files, and invalid v=STSv1 records.

How to use this tool

Enter your domain

Type the root domain only, for example example.com, without http:// or a path.

Look up DNS record

The tool queries _mta-sts.yourdomain.com for the MTA-STS TXT record (v=STSv1).

Fetch policy file

It retrieves the HTTPS policy at mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Review checks

Read pass/fail rows for record validity, policy access, mode, MX entries, and errors.

Understanding the results

MTA-STS requires both a DNS TXT record and a hosted HTTPS policy file. Both must be valid for senders to enforce TLS to your mail servers.

Valid record & accessible policy

DNS TXT contains v=STSv1, the policy file loads over HTTPS, and no validation errors were found.

Not found

No MTA-STS DNS record at _mta-sts.yourdomain.com, TLS downgrade protection is not active.

Record found, issues detected

A record or policy exists but has problems, inaccessible policy file, missing id=, or invalid mode.

Mode: testing vs enforce

testing mode logs TLS failures without blocking mail; enforce mode requires TLS for covered MX hosts.

Important result fields

Valid MTA-STS DNS record

Yes if the TXT record at _mta-sts contains v=STSv1.

Accessible MTA-STS Policy file

Yes if the HTTPS policy file responds successfully.

Policy file URL

The published location, typically https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Mode

Policy enforcement level, testing (monitor) or enforce (require TLS).

MX

Mail exchange patterns declared in the policy file that MTA-STS covers.

Hosted MTA-STS

Whether the record is delegated to a third-party provider via CNAME.

Best practices & recommendations

Start with mode: testing

Publish in testing mode first to monitor TLS compatibility before switching to enforce.

Keep the policy file in sync

Update mx: entries whenever you add or change mail servers so all inbound routes are covered.

Use a short max_age during rollout

Set a lower max_age in the policy file while testing so senders pick up changes quickly.

Pair with TLS-RPT

Publish a TLS-RPT record to receive reports about TLS connection failures to your domain.

Frequently asked questions

MTA-STS is a standard that lets domain owners publish a policy requiring senders to use TLS when delivering mail. It prevents opportunistic TLS downgrade attacks on inbound SMTP.

As a TXT record at _mta-sts.yourdomain.com containing v=STSv1 and an id= tag, plus an HTTPS policy file at mta-sts.yourdomain.com/.well-known/mta-sts.txt.

testing mode lets senders deliver mail even if TLS fails, useful for monitoring. enforce mode requires TLS for covered MX hosts or delivery may fail.

Common causes: missing HTTPS hosting at mta-sts.yourdomain.com, wrong file path, invalid TLS certificate, or DNS not yet propagated.

Yes. MTA-STS tells external senders they must use TLS, your server supporting TLS alone does not prevent downgrade attacks.

Your MTA-STS DNS is delegated via CNAME to a third-party provider that hosts the policy file for you.

After every DNS or policy file change, and during periodic security audits, especially before switching to enforce mode.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools