MTA-STS Policy Checker (Mode, Max-Age, MX Match)
Test your MTA-STS policy, TLS requirements, and hosting configuration. Get copy-ready policy files and deployment instructions.
Why MTA-STS Matters
MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for email delivery, preventing downgrade attacks.
TLS Enforcement
Requires encrypted connections for email delivery
Attack Prevention
Prevents TLS downgrade and man-in-the-middle attacks
Certificate Validation
Validates MX host certificates against policy
Reporting
Works with TLS-RPT for delivery insights
Live Policy Fetch
MTA-STS Record
Policy File
mode: enforce
mx: mail.example.com
max_age: 86400
Validation Results
Enter a domain above to check its MTA-STS policy
Common MTA-STS Errors
Issues that prevent proper MTA-STS implementation.
Policy File Not Found (404)
The policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt is not accessible.
Certificate Mismatch
MX hosts don't match the certificates or policy configuration.
Short Max-Age
Max-age under 86400 (1 day) reduces policy effectiveness.
MTA-STS Deployment Guide
Step-by-step setup for MTA-STS implementation
Step 1: Create DNS Record
Add this TXT record to _mta-sts.yourdomain.com:
Step 2: Host Policy File
Create https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
mode: testing
mx: mail.yourdomain.com
max_age: 86400
Step 3: Test & Monitor
Use testing mode initially, then upgrade to enforce mode after validation.
Run a Full Email Security Audit
Check MTA-STS, DMARC, SPF, DKIM, and more in one comprehensive scan
Frequently Asked Questions
Should I use enforce or testing mode?
Start with testing mode to monitor without affecting email delivery. Switch to enforce mode once you're confident your MX hosts support proper TLS and certificate validation.
Where should I host the MTA-STS policy?
Host the policy at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid TLS certificate. Ensure proper CORS headers and 24/7 availability.