Email · TLS · MTA-STS

MTA-STS check

Q: What does MTA-STS mode testing mean?

testing means the policy is in rollout/testing mode. It helps observe potential issues before moving the policy to enforce.

Check a domain’s MTA-STS configuration: the DNS TXT record and the policy file published over HTTPS.

Enter only the domain name, for example domain.com, without the https:// prefix.

Enter a domain and start the check.

Guide · MTA-STS

What does this MTA-STS check do?

The MTA-STS check shows whether a domain has Mail Transfer Agent Strict Transport Security configured. MTA-STS tells sending mail servers that email for the domain should be delivered over TLS to approved MX servers.

TXT record

MTA-STS starts with a DNS record at _mta-sts.example.com. The record contains the version and an id value.

Policy file

The actual policy is published at https://mta-sts.example.com/.well-known/mta-sts.txt.

mode

The policy mode can be none, testing or enforce. The strongest mode is enforce.

mx

mx lines define which MX hosts are valid for receiving mail under the MTA-STS policy.

Why does MTA-STS matter?

MTA-STS improves TLS protection for email transport. Without MTA-STS, a sending server may in some situations fall back to unencrypted SMTP delivery if TLS fails or is interfered with.

When MTA-STS is configured correctly and the mode is enforce, supporting sending servers know to require TLS and a valid MX host. MTA-STS complements SPF, DKIM, DMARC, DNSSEC and TLS settings.

How to interpret the result

A good result means that both the _mta-sts TXT record and the HTTPS policy file were found and that the policy is valid. testing is useful during rollout, but enforce provides stronger protection in production.

If the TXT record exists but the policy file cannot be fetched, MTA-STS is misconfigured. If the policy does not contain mx entries or a valid max_age value, the configuration should be fixed before enforcement.

Frequently asked questions

Does MTA-STS replace DNSSEC or DANE?

No. MTA-STS is its own protection mechanism for email TLS transport. DNSSEC and DANE/TLSA provide a different DNSSEC-based model.

What does MTA-STS mode testing mean?

testing means the policy is in rollout/testing mode. It helps observe potential issues before moving the policy to enforce.

Can broken MTA-STS affect inbound email?

Yes. If the policy is in enforce mode but the MX hosts, certificates or policy file are wrong, some senders may refuse to deliver messages.