MailShield

Free MTA-STS Checker

Verify your domain's MTA-STS configuration in seconds. Check DNS records, policy files, TLS certificates, and MX host matching — all in one scan.

Free, no account required. Enter any domain to get started.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in RFC 8461. It allows domain owners to declare that their mail servers support TLS encryption and that sending servers should refuse to deliver email over unencrypted connections. Without MTA-STS, even if your mail server supports TLS, a man-in-the-middle attacker can downgrade the connection to plaintext and intercept messages.

SMTP was designed in an era before encryption was standard. Opportunistic TLS (STARTTLS) was added later, but it is vulnerable to downgrade attacks because there is no way for a sending server to know in advance whether the receiving server requires encryption. MTA-STS solves this by publishing a policy that tells senders: “Only deliver to these MX hosts, and only over a verified TLS connection.”

The protocol works through two components: a DNS TXT record at _mta-sts.yourdomain.com that signals MTA-STS support and contains a policy ID, and an HTTPS-hosted policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt that specifies the allowed MX hosts, the policy mode, and a max_age value.

MTA-STS is particularly important for organizations handling sensitive communications — financial services, healthcare, legal, and government sectors — where email confidentiality is a compliance requirement. Combined with TLS-RPT (TLS Reporting), you get both enforcement and visibility into delivery encryption across all senders.

What this checker verifies

Our MTA-STS checker performs a comprehensive scan of your domain's configuration and reports issues with clear explanations.

DNS Record Validation

Verifies that your _mta-sts TXT record exists, is correctly formatted, and contains a valid version and mode (testing, enforce, or none).

Policy File Check

Fetches your MTA-STS policy file from https://mta-sts.yourdomain/.well-known/mta-sts.txt and validates its syntax, version, mode, max_age, and listed MX hosts.

TLS Configuration

Confirms that the policy file is served over HTTPS with a valid, non-expired TLS certificate and correct content type.

MX Matching

Cross-references the MX hosts listed in your policy file against your actual DNS MX records to ensure they match, preventing delivery failures.

How to set up MTA-STS

Setting up MTA-STS requires a DNS record and a publicly hosted policy file. Here is the process step by step.

1

Create your MTA-STS policy file

Write a plain text file defining your policy version, mode (start with "testing"), max_age, and the MX hosts that should receive email for your domain.

2

Host the policy file over HTTPS

Serve the file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid TLS certificate. The subdomain must resolve and the certificate must cover it.

3

Add the DNS TXT record

Publish a TXT record at _mta-sts.yourdomain.com with the value "v=STSv1; id=YYYYMMDDHHMMSS". Update the id whenever you change your policy.

4

Monitor and enforce

Watch for TLS-RPT reports to confirm senders can connect securely. Once confident, change the mode from "testing" to "enforce" to require encrypted delivery.

Why use MailShield for MTA-STS?

The biggest barrier to MTA-STS adoption is the requirement to host a policy file on a dedicated subdomain with a valid HTTPS certificate. For many organizations, spinning up a web server just for a single text file is impractical, especially when managing dozens or hundreds of domains.

MailShield eliminates this entirely. We host your MTA-STS policy for you. Just add two DNS records — a CNAME for the mta-sts subdomain and a TXT record — and MailShield handles the HTTPS certificate, policy file serving, and ongoing monitoring automatically.

  • Fully hosted MTA-STS policy - no web server needed on your end
  • Automatic HTTPS certificate provisioning and renewal
  • Start in testing mode and upgrade to enforce when you are ready
  • Continuous monitoring with alerts when configuration drifts
  • Combined with TLS-RPT reporting for complete encryption visibility
  • Manage MTA-STS across all your domains from a single dashboard

Protect your email with MTA-STS

Get hosted MTA-STS, continuous monitoring, and complete email security coverage. Free plan includes 2 domains with all protocol checks.

Get Started FreeView All Features