Skip to main content
Protect your domain reputation today
contact@simpledmarc.comSupport
SimpleDMARC

Free MTA-STS Record Generator

Generate a compliant MTA-STS policy file and DNS Record to secure your email transmission.

What You Need to Deploy MTA-STS

MTA-STS requires two components: a DNS TXT record at _mta-sts.yourdomain.com that advertises the policy and contains a unique 'id' value, and a policy text file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt served over HTTPS with a valid TLS certificate. Our generator creates both outputs — the DNS record and the policy file content — ensuring they are syntactically correct and consistent with each other.

How to Use This Generator

Select your policy mode: 'testing' for initial deployment (senders report failures but still deliver email) or 'enforce' for production use (senders reject delivery if TLS negotiation fails). Enter the MX hostnames authorized to receive email for your domain — these must match your actual MX DNS records exactly. Set the max_age value (how long senders should cache the policy). The generator outputs the DNS TXT record value and the complete policy file content ready for hosting.

Deployment Workflow

Start in testing mode with TLS-RPT configured (use our TLS-RPT Generator) so you can monitor whether any legitimate sending servers fail TLS negotiation. Host the policy file at the required HTTPS endpoint, publish the DNS TXT record, and validate with our MTA-STS Checker. Monitor TLS-RPT reports for 1 to 2 weeks. If no legitimate delivery failures are reported, switch to enforce mode by updating the policy file and incrementing the DNS record's id value to trigger a policy refresh by sending servers.

Frequently Asked Questions

What is an MTA-STS policy file?
It's a text file hosted at a specific URL that tells sending servers to enforce TLS encryption.
What are the modes?
"Testing" allows you to see reports without blocking email. "Enforce" blocks email if encryption fails.
What is the MX pattern?
It specifies which mail servers match this policy. Wildcards like "*.google.com" are common.
Where do I host the policy file?
Host it at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This requires a web server on the mta-sts subdomain with a valid HTTPS certificate. Many organizations use cloud storage (S3, GCS) or CDNs for this.
How do I update the policy?
Edit the policy file content and increment the id value in the DNS TXT record. Sending servers compare the id against their cached version to detect policy changes.
What MX hosts should I list?
List every MX hostname that appears in your domain's MX DNS records. The hostnames must match exactly — if your MX points to mx1.provider.com, the policy must list mx1.provider.com.

More MTA-STS & TLS-RPT Tools

MTA-STS Checker

Test your MTA-STS policy for secure transport.

Try Tool

TLS-RPT Checker

Check your TLS reporting configuration syntax.

Try Tool

TLS-RPT Generator

Create TLS reporting (TLS-RPT) DNS records.

Try Tool
View All Security Tools
Free MTA-STS Generator | Create MTA-STS Policy & DNS Records | SimpleDMARC