MTA-STS Tester & Policy Validator
Enter a domain to check its MTA-STS setup. The tool reads the _mta-sts.<domain> TXT record and fetches the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt, validating the mode, MX patterns, and cache lifetime against RFC 8461.
What is MTA-STS?
MTA-STS (SMTP MTA Strict Transport Security) is an email security standard, defined in RFC 8461, that lets a domain require inbound mail be delivered over authenticated TLS. It closes the gap where opportunistic STARTTLS can be stripped by an attacker, forcing senders to use encryption with a valid certificate or refuse to deliver.
How does MTA-STS work?
MTA-STS combines a DNS TXT record with an HTTPS-hosted policy file. The TXT record signals that a policy exists, and the policy file states the rules a sending server must follow before delivering mail.
- TXT discovery record -
_mta-sts.<domain>publishesv=STSv1and a policyidthat changes whenever the policy changes. - Policy fetch - sending servers retrieve
https://mta-sts.<domain>/.well-known/mta-sts.txtover HTTPS with a valid certificate. - Mode enforcement - the policy
modeisenforce,testing, ornone. - MX matching - each
mxline lists the hostnames (wildcards allowed) authorised to receive mail. - Caching -
max_agetells senders how long to cache the policy, commonly one week (604800 seconds).
What does MTA-STS mode mean?
The mode controls how strictly senders enforce the policy. There are exactly three values defined by RFC 8461.
enforce- mail is delivered only over validated TLS; otherwise it is not delivered. This is the protective end state.testing- TLS problems are reported via TLS-RPT but mail is still delivered. Use this while you confirm reports are clean.none- the policy is effectively disabled, typically used to phase MTA-STS out.
Why does the policy need to be served over HTTPS without redirects?
RFC 8461 requires the policy file be returned directly with an HTTP 200 over HTTPS using a certificate valid for mta-sts.<domain>. Redirects are not allowed because they would let an attacker who controls the network point senders at a forged policy. This tester fetches the policy with redirects disabled to mirror that requirement.
Frequently asked questions
Is MTA-STS the same as DANE?
No. Both enforce TLS for SMTP, but DANE uses DNSSEC and TLSA records, while MTA-STS uses an HTTPS-hosted policy and the web PKI. MTA-STS is easier to deploy on domains without DNSSEC.
Do I need TLS-RPT with MTA-STS?
It is strongly recommended. TLS-RPT (RFC 8460) gives you reports of TLS failures so you can safely move from testing to enforce without silently dropping mail.
What max_age should I use?
A common production value is 604800 seconds (one week). Longer caching improves protection because senders keep enforcing the policy even if DNS is briefly tampered with. Use a short value only while testing.
Why was my policy file unreachable?
Typical causes are a missing mta-sts subdomain, an HTTPS certificate that is not valid for mta-sts.<domain>, or the policy being served through a redirect, which RFC 8461 forbids.
How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.