Skip to content

Free MTA-STS Checker - Validate MTA-STS Policy & DNS Record

Check your MTA-STS implementation instantly. Our free MTA-STS checker validates your DNS TXT record, fetches and analyzes your policy file, verifies TLS enforcement mode (testing vs enforce), and checks MX host matching. Get copy-ready policy files and step-by-step deployment guides for Google Workspace, Microsoft 365, and custom mail servers.

Why MTA-STS Matters for Email Security

MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for email delivery, preventing downgrade attacks. Use it alongside SMTP TLS verification and TLS-RPT reporting for comprehensive email transport security.

TLS Enforcement

Requires encrypted connections for email delivery

Attack Prevention

Prevents TLS downgrade and man-in-the-middle attacks

Certificate Validation

Validates MX host certificates against policy

Reporting

Works with TLS-RPT for delivery insights

Live Policy Fetch

Enter a domain above to check its MTA-STS policy

Common MTA-STS Errors

Issues that prevent proper MTA-STS implementation.

Policy File Not Found (404)

The policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt is not accessible.

Critical Error

Certificate Mismatch

MX hosts don't match the certificates or policy configuration.

Medium Risk

Short Max-Age

Max-age under 86400 (1 day) reduces policy effectiveness.

Low Risk

MTA-STS Deployment Guide

Step-by-step setup for MTA-STS implementation

Step 1: Create DNS Record

Add this TXT record to _mta-sts.yourdomain.com:

v=STSv1; id=20240101T000000;

Step 2: Host Policy File

Create https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:

version: STSv1
mode: testing
mx: mail.yourdomain.com
max_age: 86400

Step 3: Test & Monitor

Use testing mode initially, then upgrade to enforce mode after validation.

Related Email Security Tools

TLS-RPT Generator

Generate TLS reporting records

SMTP TLS Checker

Verify STARTTLS and ciphers

Deliverability Test

Complete email security audit

Run a Full Email Security Audit

Check MTA-STS, DMARC, SPF, DKIM, and more in one comprehensive scan

Run Full Deliverability Test

Frequently Asked Questions

Should I use enforce or testing mode?

Start with testing mode to monitor without affecting email delivery. Switch to enforce mode once you're confident your MX hosts support proper TLS and certificate validation.

Where should I host the MTA-STS policy?

Host the policy at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid TLS certificate. Ensure proper CORS headers and 24/7 availability.