HomeEmail ToolsMTA-STS Lookup
Email Tool

MTA-STS Lookup

Check your MTA-STS DNS record and policy file to verify that inbound SMTP TLS enforcement is correctly configured. Confirm policy mode, MX hostname coverage, and TLS certificate alignment.

Checks DNS
_mta-sts TXT Record
v=STSv1 with unique id value
Fetches Policy
mta-sts.txt File
Validates mode, MX list, and max_age.
Why MTA-STS Matters
Standard STARTTLS can be silently stripped by a man-in-the-middle attacker. MTA-STS mandates TLS encryption for all inbound mail, eliminating downgrade attacks entirely.
MTA-STS Lookup — Start Here
Waiting for input
Enter input and press Check
How to Use

Use MTA-STS Lookup in 4 Steps

01
Enter your domain
Type the domain you want to check MTA-STS for, e.g. example.com.
02
Run MTA-STS Lookup
We check your _mta-sts TXT record and fetch your policy file from the well-known URL.
03
Review policy mode
Confirm the mode is testing or enforce, and all MX hostnames are listed in the policy.
04
Fix and re-verify
Apply corrections to your policy file or DNS record, then re-run to confirm alignment.

What is MTA-STS Lookup?

MTA-STS Lookup checks your _mta-sts DNS TXT record and fetches your policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt to verify that your inbound SMTP TLS enforcement is correctly configured. Use this tool to confirm that your policy file is reachable, your MX hostnames are listed, and your MX server certificates match your published policy.

Why Opportunistic TLS Is Not Enough

Email sent over SMTP has a fundamental security flaw that SPF and DKIM do not address. When one mail server connects to another, the receiving server says "I support STARTTLS." The sending server sees this and upgrades the connection to encrypted TLS. However, because this happens mid-stream, it is vulnerable to a Man-in-the-Middle (MITM) attack.

An attacker sitting on the network between the two servers can strip the STARTTLS command from the conversation. The sending server then believes the receiver does not support encryption and falls back to plain-text delivery. This is known as a Downgrade Attack. The email is delivered successfully, so the user sees no error, but the attacker has intercepted the message in clear text.

  • Passive Eavesdropping: Without forced TLS, any actor with access to internet backbone routers can read your business communications in bulk.
  • DNS Spoofing: An attacker can redirect your MX traffic to their own server. Without MTA-STS, the sending server might accept a fake certificate and deliver mail to the attacker.
  • Legacy Fallback: Many mail servers emphasize delivery at all costs over security, meaning they will always choose unencrypted delivery over a failed handshake unless explicitly told otherwise.

MTA-STS (RFC 8461) eliminates this opportunistic behavior. It provides a mechanism for a domain owner to publish a policy that officially declares: "My mail servers always support TLS, and you should reject the email if you cannot establish a secure, verified connection."

How MTA-STS Works: Dual-Layer Verification

MTA-STS works by providing a trusted source of truth outside of the SMTP handshake itself. It uses two distinct components: a DNS TXT Record and an HTTPS Policy File. The DNS record signals that a policy exists, but the actual security rules are fetched over a secure HTTPS connection to a specific subdomain (mta-sts.yourdomain.com). This dual-layer approach prevents an attacker from simply spoofing your DNS to disable your security.

The MTA-STS Verification Flow:
1. Sender queries DNS for _mta-sts.example.com TXT record.
2. Sender fetches policy from https://mta-sts.example.com/.well-known/mta-sts.txt.
3. Sender verifies your MX server's TLS certificate against the listed hostnames.
4. If the certificate is invalid or missing, the sender blocks the delivery.

The Strict part of MTA-STS comes from the Max Age parameter in the policy file. This tells the sender how long to remember your security rules. Once a sender like Google Workspace caches your Enforce policy, if an attacker tries to perform a downgrade attack tomorrow, Google will remember that you must have TLS. It will see the missing STARTTLS command, realize it is an attack, and stop the delivery.

Policy Configuration: Modes, Syntax, and Host Verification

The heart of your deployment is the mta-sts.txt policy file, which must be hosted at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

The file must be served with a text/plain MIME type and must be accessible over a valid, CA-signed HTTPS connection.

Policy ModeBehavior on Certificate FailureRecommendation
noneEffectively disables the policyUse only during decommissioning
testingDelivers mail, but sends a failure reportStart here for at least 2 weeks
enforceRejects delivery if TLS or cert failsFinal state for all secure domains

Never jump straight to Enforce mode without first observing your traffic in Testing mode. The Testing mode allows you to catch certificate mismatches or legacy sender issues before they cause actual bounces.

; Example MTA-STS Policy File (mta-sts.txt):
version: STSv1
mode: testing
mx: mail.example.com
mx: *.example.com
max_age: 86400

The policy syntax requires an mx tag for every authorized mail server. These are the hostnames the sender will look for in your TLS certificate Subject Alternative Name (SAN) field. If your MX is mail.example.com but your certificate is only for example.com, MTA-STS will fail. You can use wildcards (like *.example.com) to cover multiple servers.

TLS-RPT: The Essential Reporting Companion

MTA-STS is practically blind without its companion record: TLS-RPT (TLS Reporting). While MTA-STS tells senders what to do, TLS-RPT tells them where to report failures. If a sender tries to deliver an encrypted email but your certificate fails the MTA-STS check, you would never know why the mail was missing without TLS-RPT. The sender will send you a daily JSON report detailing successful and failed connections.

The TLS-RPT record is a DNS TXT record placed at _smtp._tls.yourdomain.com:

# Example TLS-RPT DNS record:
_smtp._tls.yourdomain.com  TXT  "v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com"

Deploy TLS-RPT before you even create your MTA-STS policy. It will show you your current Opportunistic TLS success rate immediately, giving you a baseline before you move to enforce mode.

MTA-STS vs. DANE

FeatureMTA-STS (RFC 8461)DANE (RFC 7671)
Trust ModelWeb PKI (Certificate Authorities)DNSSEC (Self-Published)
PrerequisiteHTTPS Web ServerDNSSEC Signed Zone
Primary SupportGoogle, Microsoft, YahooPostfix, Exim, European Govs
Failure ResultBlocks plain-text fallbackBlocks unverified certs

DANE is technically more secure because it does not rely on the CA system, but MTA-STS is more practically secure because it is supported by the major email providers that handle the bulk of the world's traffic. Google and Microsoft both fully support MTA-STS for their hosted mail products, but neither currently supports DANE for inbound mail. If you have a perfectly signed DNSSEC zone, you should implement both — they are not mutually exclusive.

Implementation and Verification Workflow

Deploying MTA-STS is a four-step process:

  1. Ensure your MX server's TLS certificate is valid and covers its own hostname.
  2. Create the mta-sts subdomain and host your mta-sts.txt policy file.
  3. Publish your _mta-sts DNS TXT record with a unique id.
  4. Observe TLS-RPT reports for at least 14 days before switching to Enforce mode.
# Verify your policy file is reachable and correct:
curl -v https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

# Expected response:
# < HTTP/1.1 200 OK
# < Content-Type: text/plain; charset=utf-8
# version: STSv1
# mode: testing
# mx: mail.example.com
# max_age: 86400

# Verify your DNS TXT record is live:
dig TXT _mta-sts.yourdomain.com +short
# Expected: "v=STSv1; id=20240101000000"

Common deployment failures come from the bootstrap nature of the standard. If your mta-sts subdomain has an expired SSL certificate, the sender cannot fetch the policy to know that your mail server is valid. Monitor the SSL for your web server at mta-sts.yourdomain.com as diligently as you monitor your mail server's certificate — a single expired web certificate can block all of your inbound corporate email.

For Google Workspace or Office 365, the process is simplified: the mail servers are already secured. You just need to point your policy hostnames to the respective cloud endpoints (e.g., *.aspmx.l.google.com). Leave your policy in Testing mode for at least 14 days of clean reports before committing to Enforce.

Frequently Asked Questions

Does MTA-STS protect my outgoing email?
No. MTA-STS is an inbound security policy. It tells other mail servers how to send mail to you. To protect the mail you send out to others, your mail server must support STARTTLS on its outbound connections, and your partners should implement their own MTA-STS or DANE policies. Security in SMTP is a step-by-step agreement between two parties.
Can I use a wildcard certificate for my MTA-STS subdomain?
Yes, as long as it covers mta-sts.yourdomain.com. However, the MX hostnames listed inside the policy file also need their certificates checked. If you use a wildcard like *.yourdomain.com on your mail server, it will pass the MTA-STS check as long as the hostname matches the pattern.
What is the risk of jumping straight to Enforce mode?
The risk is a total mail outage. If you have a single legacy sender that does not support TLS, or if your certificate has a small error you did not notice, those emails will be rejected and bounce. Testing mode allows you to see these failures in your TLS-RPT reports without actually losing messages. Always stay in Testing mode for at least 14 days before switching to Enforce.
Why do I need a separate DNS record if the policy is in a file?
Performance and signaling. A mail server does not want to perform an HTTPS fetch for every single email it sends. The DNS record contains an id value. The mail server caches the policy and only re-fetches it when it sees that the id in your DNS has changed. This minimizes the load on your web server and speeds up mail delivery significantly.
Can I host the policy file on a CDN or S3 bucket?
Yes, as long as the CDN is configured to serve the file on the mta-sts subdomain with the correct /.well-known/ path and the text/plain MIME type. Many companies use AWS S3 with CloudFront to host their MTA-STS policy, as it provides high availability and automatic SSL management.
Is MTA-STS required for Google and Yahoo bulk sender compliance?
Not currently. The 2024/2025 bulk sender requirements focus on SPF, DKIM, and DMARC. However, MTA-STS is considered the next level of compliance and is highly recommended by security professionals as part of a complete Zero Trust email strategy. Implementing it now is low-risk and future-proofs your inbound mail security.
MTA-STS Record Location
_mta-sts.
yourdomain.com
TXT record with v=STSv1; id=...
Policy File URL
https://mta-sts.
yourdomain.com/
.well-known/
mta-sts.txt
Must return text/plain via HTTPS
Policy Modes
testing — reports failures, delivers mail
enforce — rejects on TLS failure
none — policy is disabled
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.