Skip to content
SMTPDoctor

MAIL-01 / EMAIL AUTHENTICATION

MTA-STS Checker

Check a domain's MTA-STS setup, which forces sending servers to use TLS when delivering mail to you — both the DNS record and the HTTPS policy file.

About the MTA-STS Checker

MTA-STS lets your domain tell other mail servers that they must use TLS encryption when delivering mail to you, and refuse delivery if a secure connection can't be established. This tool verifies both parts of a valid MTA-STS setup: the DNS record and the HTTPS-hosted policy file.

What this tool checks

It looks up the _mta-sts TXT record and fetches the policy file from the well-known HTTPS location, reporting the enforcement mode (enforce, testing, or none).

Why use MTA-STS

Plain SMTP can be downgraded to unencrypted delivery by an attacker. MTA-STS closes that gap by requiring TLS, protecting inbound mail from interception.

Frequently asked questions

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces sending servers to use TLS when delivering mail to your domain, preventing downgrade attacks.

What does MTA-STS require?

Two things: a _mta-sts DNS TXT record, and a policy file served over HTTPS at mta-sts.yourdomain.com/.well-known/mta-sts.txt. Both must be present and valid.

What is enforce vs testing mode?

In testing mode, TLS failures are reported but mail still flows. In enforce mode, mail that can't be delivered securely is rejected. Start in testing, then move to enforce.