SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
medium DNS

MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) forces email sent to your domain to use encrypted, authenticated TLS connections. Without it, mail servers may fall back to unencrypted SMTP or accept connections with invalid certificates, exposing emails to interception.

What SecurityStatus Checks

  • Whether an MTA-STS policy file is served at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  • Whether the _mta-sts DNS TXT record exists and points to the policy
  • Policy mode — testing, enforce, or none
  • Whether the policy lists the correct MX hosts
  • TLS-RPT record for receiving failure reports

Why This Matters

Without MTA-STS, a network attacker between two mail servers can strip TLS encryption (a STARTTLS downgrade attack) and read or modify email in transit. This is particularly dangerous for business emails containing confidential information or password reset links.

How to Fix It

  1. 1

    Create the MTA-STS policy file

    Create a file at /.well-known/mta-sts.txt on a web server accessible at mta-sts.yourdomain.com. Content example: `version: STSv1\nmode: testing\nmx: mail.yourdomain.com\nmax_age: 86400`.

  2. 2

    Add the _mta-sts DNS record

    Add a TXT record: _mta-sts.yourdomain.com TXT "v=STSv1; id=20240101000000". The id value is a timestamp or version string — update it whenever you change the policy.

  3. 3

    Start in testing mode

    Start with `mode: testing` in your policy file. In testing mode, sending servers report failures but still deliver email. Review TLS-RPT reports before enforcing.

  4. 4

    Move to enforce mode

    After confirming your MX servers support TLS correctly, change `mode: testing` to `mode: enforce` and update the id timestamp. Sending servers will now reject delivery over non-TLS or unauthenticated connections.

Frequently Asked Questions

Is MTA-STS the same as STARTTLS?
No. STARTTLS is the mechanism for upgrading an SMTP connection to TLS, but it can be stripped by an attacker. MTA-STS enforces that the upgrade must happen with a valid certificate, preventing downgrade attacks.
Do I need both MTA-STS and TLS-RPT?
MTA-STS is the policy; TLS-RPT is the reporting mechanism. You should deploy both together so you can receive reports about delivery failures that occur when enforcing your MTA-STS policy.
Does MTA-STS protect all email?
MTA-STS protects email in transit between mail servers (SMTP). It does not protect email that is already stored on servers or email in transit from a user's mail client to their mail server.

Related Guides

low TLS-RPT Read Guide high SPF Record Read Guide high DMARC Record Read Guide

Check Your Domain Now

Run all 38 security checks including MTA-STS and get your domain's security grade in under 2 minutes.

Scan Your Domain Free