MTA-STS Record Checker
Check any domain's MTA-STS policy and TLS-RPT record — see the enforcement mode, allowed mail servers, and whether inbound email is protected from downgrade attacks. Free, no signup.
What is an MTA-STS record?
MTA-STS is the standard that upgrades email-in-transit encryption from “use TLS if you can” to “use TLS or don't deliver.” It combines a DNS TXT record at _mta-sts.yourdomain.com with a policy file hosted over HTTPS that names your mail servers and an enforcement mode. Sending servers that support MTA-STS — including Gmail and Microsoft 365 — fetch that policy and refuse to hand your mail to an impostor server or over a stripped connection. Pair it with DMARC and a BIMI record for a complete inbound-and-outbound email security posture, and read the full guide to MTA-STS.
Email authentication knowledge base
Every tag in an MTA-STS deployment and its TLS-RPT companion, explained.
- vVersion (DNS record)
- The version tag in the _mta-sts TXT record. It must be set to ‘STSv1’. If it is missing or wrong, receivers ignore the record and never fetch your policy file.
- idPolicy identifier
- A unique string in the _mta-sts TXT record (commonly a timestamp like 20240419T120000). Whenever you change the hosted policy file, you must also change the id so senders know to re-fetch it. Reusing an old id means caches keep serving your previous policy.
- modeEnforcement mode
- Set in the policy file. ‘testing’ reports TLS problems but still delivers mail if TLS fails or the certificate is invalid — the safe first step. ‘enforce’ tells sending servers to refuse delivery unless they can make a valid, authenticated TLS connection to a listed MX. ‘none’ withdraws the policy.
- mxAllowed mail servers
- One or more mx lines in the policy file listing the mail-server hostnames allowed to receive your mail, e.g. mail.example.com or a wildcard like *.example.net. They should match your published MX records. A sending server only enforces TLS against hosts on this list.
- max_agePolicy lifetime
- How long (in seconds) senders may cache your policy, in the policy file. A common value is 604800 (one week). Longer caching is more resistant to downgrade attacks but makes changes propagate slowly; start lower while testing, then raise it once the policy is stable.
- ruaTLS-RPT report address
- In the companion _smtp._tls TXT record (v=TLSRPTv1), rua is where receivers send daily TLS reporting — a mailto: or https: destination. These reports reveal how often mail to your domain fails TLS, which is how you gain the confidence to move MTA-STS from testing to enforce.