MTA-STS Check

Validate MTA-STS (Mail Transfer Agent Strict Transport Security) configuration for a domain.

MTA-STS enforces TLS encryption for inbound mail delivery, protecting against man-in-the-middle attacks and downgrade attacks on email transport.

What is MTA-STS?

MTA-STS (RFC 8461) is a mechanism that enables mail service providers to:

Declare TLS support: Indicate that they support TLS for mail transport
Enforce encryption: Require senders to use TLS when delivering mail
Prevent downgrade attacks: Protect against attackers stripping TLS from connections

MTA-STS Components

DNS Record: A TXT record at _mta-sts.{domain} announcing MTA-STS support
Policy File: A text file at https://mta-sts.{domain}/.well-known/mta-sts.txt
Policy Modes:
- none - MTA-STS is disabled
- testing - Report failures but don't reject mail
- enforce - Reject mail that can't be delivered over TLS

Related Tools

TLS-RPT Check - Receive reports about TLS failures (companion standard)
DANE/TLSA Check - Alternative TLS enforcement via DNSSEC
MX Lookup - Find mail servers for a domain
SMTP Check - Test mail server connectivity and TLS
SSL Check - Verify TLS certificate