MTA-STS glossary

What does mode mean in an MTA-STS policy? (enforce vs testing vs none)

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

mode tells sending servers what to do when secure delivery to your domain can't be verified. testing delivers the mail anyway but reports the failure via TLS-RPT; enforce refuses to deliver unless the connection uses valid TLS to an MX matching your policy; none retires the policy. Only enforce actually protects mail in transit.

mode: at a glance
Tagmode
Valid valuestesting · enforce · none
DefaultRequired — every MTA-STS policy file must set a mode.
Where it goesOne key/value line in the mta-sts.txt policy file, e.g. mode: enforce

How mode: works

mode is the what-happens-on-failure switch. In testing, a sender that can't negotiate valid TLS to one of your listed MX hosts delivers the message anyway — and, if you've published TLS-RPT, sends you a report describing the failure. Nothing is ever blocked; it's pure monitor mode.

In enforce, that same sender refuses to deliver unless it gets a TLS connection with a valid certificate to an MX matching your policy. This is the only mode that actually stops an attacker from stripping STARTTLS or diverting mail to a rogue MX. none sits at the other end: it tells senders the policy is retired, and is how you decommission MTA-STS cleanly.

The none → testing → enforce ladder is the TLS mirror of DMARC's none → quarantine → reject: monitor first, enforce on evidence. It shares the same failure mode too — domains parked in testing forever, "MTA-STS enabled" on the audit sheet, zero actual protection. Testing is a rollout step, not a destination.

Correct record vs common mistake

Correct

version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 1209600

Full enforcement — senders refuse to deliver unless they get valid TLS to a listed MX. This is the mode that actually protects mail in transit.

Common mistake

version: STSv1
mode: testing
mx: mail.yourdomain.com
max_age: 86400

Fine for a rollout week — but parked here permanently, failures are only reported, never blocked. Testing forever is the MTA-STS version of DMARC p=none forever.

Troubleshooting mode:

IssueLikely causeFix
"MTA-STS enabled" but no actual protectionPolicy parked at mode: testing long after rolloutReview your TLS-RPT reports; once they're clean, switch to enforce and bump the DNS id
Mail delayed after moving to enforceAn MX isn't matched by any mx: line, or its certificate is invalid or expiredFix the mx pattern or certificate — senders typically retry before bouncing; if the fix will take days, step back to testing first
Switched modes but senders behave as beforeThe id in the _mta-sts DNS record wasn't changedBump the id — senders only refetch a cached policy when it changes

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Across a managed client base, mode: testing is the checkbox trap. Every domain "has MTA-STS," every audit passes, and not one connection is actually protected — an attacker who can strip STARTTLS can still read your clients' mail in transit. The protection you're selling only exists at enforce.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Getting parked in testing is exactly the failure Palisade exists to prevent. Palisade hosts each client's MTA-STS policy, watches the TLS reports, and advances every domain from testing to **enforce** once delivery is proven clean — most vendors just check the policy; Palisade runs it.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

testing delivers mail even when secure delivery fails and reports the failure; enforce refuses to deliver unless the connection uses valid TLS to a matching MX. Testing is visibility, enforce is protection.

Yes — same role in the rollout: monitor without blocking while you confirm nothing legitimate breaks. And the same trap: a domain left in testing indefinitely is unprotected the entire time.

Yes — once your TLS-RPT reports confirm senders reach your MX hosts over valid TLS. Enforce only affects delivery when TLS fails or the MX doesn't match your policy; with valid certificates and correct mx patterns, mail flows normally.

That the policy is retired — senders apply no MTA-STS requirements. It's used to wind MTA-STS down cleanly (publish mode: none, bump the DNS id, wait out the caches), not as a starting point.

Related terms

What is MTA-STS? SMTP security policy explained