MTA-STS
Use our MTA-STS Lookup tool to verify your domain’s MTA-STS DNS record and HTTPS policy, ensuring emails are transmitted securely over TLS and protected from interception or downgrade attacks
About MTA-STS
MTA-STS Lookup - Check and Validate Mail Transport Security Policy
Use our free MTA-STS Lookup Tool to check and validate your domain’s Mail Transfer Agent Strict Transport Security (MTA-STS) policy. Ensure your mail servers are securely configured to enforce encrypted email delivery (TLS) and prevent downgrade or interception attacks.
Simply enter your domain name (e.g., example.com) and instantly analyze the MTA-STS DNS record and HTTPS policy file for any configuration issues.
What is MTA-STS (Mail Transfer Agent Strict Transport Security)?
Purpose of MTA-STS in Email Security
MTA-STS, short for Mail Transfer Agent Strict Transport Security, is a critical email security protocol designed to ensure that emails sent to your domain are always transmitted securely using TLS encryption. It allows domain owners to declare that their mail servers support encrypted connections and require strict security policies for inbound mail.
How MTA-STS Protects Your Emails from MITM and Downgrade Attacks
Without MTA-STS, attackers can exploit vulnerabilities in SMTP by forcing servers to fall back to plaintext connections. MTA-STS prevents these man-in-the-middle (MITM) and downgrade attacks by enforcing strict encryption requirements. If a secure connection cannot be established, the message delivery is aborted, keeping your communication safe.
Difference Between MTA-STS and STARTTLS
While STARTTLS upgrades an unencrypted connection to TLS, it is susceptible to being stripped by attackers. MTA-STS, on the other hand, ensures that mail servers must use TLS and must verify the certificate before email delivery. This makes MTA-STS a stronger and more reliable layer of email transport security.
Why MTA-STS Matters for Your Domain
Ensures Secure TLS Communication Between Mail Servers
MTA-STS enforces end-to-end encryption for all inbound emails, making sure they’re transmitted only through secure channels.
Prevents Unauthorized Mail Interception
It stops cybercriminals from intercepting or reading sensitive messages by enforcing strict TLS validation during delivery.
Improves Email Deliverability and Domain Reputation
Domains with properly implemented MTA-STS gain higher trust from other mail servers and providers, which helps reduce spam issues and increase deliverability rates.
How Does MTA-STS Work?
Step 1: Publish MTA-STS TXT Record in DNS
The first step is to add a TXT record in your domain’s DNS under the subdomain:
_mta-sts.yourdomain.com.
This record announces that your domain supports MTA-STS and provides a unique policy ID.
Example:
_mta-sts.example.com. IN TXT "v=STSv1; id=20241010T120000Z;"
Step 2: Host Policy File on HTTPS Endpoint
Next, you must host a policy file at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
This file specifies your policy settings, including mode, MX hosts, and max_age.
Example policy file:
version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800
Step 3: Sending Servers Enforce the Policy for TLS Connections
When another mail server sends an email to your domain, it checks:
- The DNS TXT record for MTA-STS support
- The HTTPS policy file for encryption rules
- The MX hosts allowed for delivery
If the requirements aren’t met, the email delivery is aborted, keeping your mail flow strictly secure.
How to Use HasheTools’ MTA-STS Lookup Tool
Step-by-Step Process
- Enter your domain name (e.g., example.com).
- Click “Validate MTA-STS”.
- Our tool will query both the DNS TXT record and the HTTPS policy file.
- You’ll instantly get results with:
- MTA-STS DNS record details
- Policy file status and content
- Configuration warnings and suggestions
What the Tool Checks
Our MTA-STS validator runs a complete analysis to ensure your setup complies with standards:
- Checks if the _mta-sts TXT record is published correctly
- Validates the syntax and version (STSv1)
- Fetches the policy file from HTTPS
- Ensures the file’s mode, MX hosts, and max_age are properly defined
- Detects common configuration issues or mismatched records
By using this tool, you can quickly find and fix any MTA-STS misconfigurations that may compromise your email transport security.
Example MTA-STS Record and Policy File
Example DNS TXT Record
_mta-sts.example.com. IN TXT "v=STSv1; id=20241010T120000Z;"
Example HTTPS Policy File
version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800
MTA-STS Modes Explained
- none: Policy is published but not enforced (testing phase).
- testing: Sending servers check policy, but still deliver emails even if validation fails.
- enforce: Strict policy enforcement; emails are delivered only over valid TLS connections.
Benefits of Implementing MTA-STS
Prevents Email Spoofing and Downgrade Attacks
By enforcing encrypted connections, MTA-STS prevents attackers from impersonating your domain or forcing insecure transmission.
Enhances Encryption Consistency Across Mail Servers
Ensures that all emails to your domain are consistently protected with valid TLS encryption, no exceptions.
Builds Trust with Business and Enterprise Email Systems
Modern organizations and ESPs recognize MTA-STS compliance as a sign of strong domain security, boosting sender reputation.
Works Alongside DMARC, SPF, and DKIM
MTA-STS complements existing authentication standards:
- SPF verifies the sender source
- DKIM ensures message integrity
- DMARC enforces alignment
- MTA-STS guarantees secure transmission
Together, they create a robust email security framework.
Troubleshooting Common MTA-STS Issues
DNS Record Not Found or Invalid
Ensure your _mta-sts TXT record is live and publicly accessible.
You can test it using HasheTools’ DNS Lookup Tool before running MTA-STS validation.
Policy File Not Accessible via HTTPS
The policy file must be served over HTTPS with a valid SSL/TLS certificate and no redirects.
Make sure the file path is correct:
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
MX Host Mismatch Between Policy and DNS
Your MTA-STS policy’s MX entries must match the MX records in your DNS. If they differ, sending servers may reject email delivery.
TLS Certificate Validation Errors
Always use valid and trusted SSL certificates on your mail servers and MTA-STS host. Self-signed or expired certificates can cause delivery failures.
Test Your MTA-STS Configuration Now
Implementing MTA-STS is an essential step toward securing your organization’s email infrastructure. It ensures all incoming emails use encrypted, verified connections, protecting against interception, spoofing, and delivery risks.
The HasheTools MTA-STS Lookup Tool makes it effortless to check, validate, and analyze your domain’s MTA-STS configuration in seconds.
Stay proactive with your email security, test your setup today, and ensure your domain’s mail transport remains fully protected and compliant.
More Tools
Frequently Asked Questions About MTA-STS
Do I Need Technical Expertise to Configure MTA-STS?
Basic DNS and web server management skills are enough. If you manage your own mail domain or hosting, you can easily publish MTA-STS records following our examples.
Can I Use MTA-STS with Gmail or Office 365?
Yes. Major email providers like Google Workspace and Microsoft 365 fully support MTA-STS. You can configure your domain to comply with and enhance email trustworthiness.
How Often Should I Update My Policy ID?
Whenever you make changes to your MX records or policy file, update the policy ID in your _mta-sts TXT record. This notifies sending servers to refresh their cached version.
What Happens If My Policy File Is Misconfigured?
If the policy file is missing or invalid, emails might fail to deliver to your domain under “enforce” mode. Always validate your setup using the HasheTools MTA-STS Lookup Tool after any change.