Free MTA-STS Record Checker
Verify your Mail Transfer Agent Strict Transport Security (MTA-STS) configuration to prevent man-in-the-middle attacks.
What Is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is defined in RFC 8461 and ensures that emails sent to your domain are always encrypted in transit using TLS. Without MTA-STS, even if your mail server supports TLS, a man-in-the-middle attacker can perform a downgrade attack — stripping the TLS negotiation and intercepting messages in plain text. This is known as an SMTP downgrade attack. MTA-STS eliminates this vulnerability by publishing a policy that instructs sending mail servers to only deliver email over an authenticated, encrypted TLS connection to your specified MX hosts.
What Our Checker Validates
Our tool validates both components of MTA-STS. First, it checks the DNS TXT record at mta-sts.yourdomain.com for a valid 'id' field (which signals policy updates to sending servers). Second, it fetches and validates the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt — checking the mode (testing, enforce, or none), MX hostname entries, maxage value, and HTTPS certificate validity. Common issues flagged include mismatched MX entries between the policy file and actual DNS, expired certificates on the mta-sts subdomain, and excessively short max_age values.
MTA-STS and Your Security Stack
While DMARC, SPF, and DKIM protect against domain spoofing, MTA-STS protects the email content during delivery by ensuring TLS encryption is enforced. This is especially critical for organizations in regulated industries — finance, healthcare, government, and legal — where unencrypted email transmission creates compliance risks. MTA-STS works alongside TLS-RPT (which provides reporting on TLS negotiation outcomes) and optionally DANE (which uses DNSSEC to publish TLS certificates). For most organizations, MTA-STS combined with TLS-RPT provides the most practical path to transport encryption enforcement.