How to Check MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) allows domains to enforce TLS encryption for inbound email delivery.

It works by combining a DNS TXT record with a policy file hosted over HTTPS.

Sending mail servers retrieve the policy via HTTPS and use it to validate TLS connections and MX hostnames.

MTA-STS is defined in RFC 8461.

The MTA-STS DNS record is published at _mta-sts.example.com as a TXT record.

A typical record looks like v=STSv1; id=2024040301.

The id value is used to signal policy updates. When it changes, sending servers know to re-fetch the policy file.

You can check this record to confirm it exists and is correctly formatted.

• MTA-STS Check

The MTA-STS policy file must be hosted at https://mta-sts.example.com/.well-known/mta-sts.txt.

This file must be accessible over HTTPS with a valid certificate.

A typical policy file includes version, mode, mx, and max_age fields.

If the file is unreachable, invalid, or served over HTTP instead of HTTPS, MTA-STS will not function correctly.

Both the DNS TXT record and the HTTPS policy file must align.

If the id value in DNS changes but the policy file is not updated, sending servers may cache outdated information.

If the MX patterns defined in the policy do not match your actual MX records, mail delivery may fail.

You should always verify MX records alongside the policy.

• MTA-STS Check

• TXT record exists at _mta-sts.example.com
• TXT record contains v=STSv1 and a valid id value
• Policy file is reachable over HTTPS
• TLS certificate for mta-sts subdomain is valid
• Policy file contains valid syntax and required fields
• MX patterns in the policy match actual MX records
• Policy mode is set appropriately to none, testing, or enforce

• Missing or incorrectly formatted TXT record
• Policy file not accessible over HTTPS
• Invalid TLS certificate on mta-sts subdomain
• MX records do not match policy definitions
• Policy file syntax errors
• DNS id updated but policy file not refreshed
• Forgetting to configure TLS-RPT for visibility

TLS-RPT (SMTP TLS Reporting) provides visibility into mail delivery issues related to TLS and MTA-STS.

Without TLS-RPT, you may not be aware of failures or misconfigurations.

A TLS-RPT record is published as a TXT record at _smtp._tls.example.com.

Configuring TLS-RPT alongside MTA-STS is strongly recommended for monitoring and troubleshooting.

• Check the _mta-sts TXT record for correct format and id value
• Fetch the HTTPS policy file and confirm accessibility
• Validate TLS certificate on mta-sts subdomain
• Compare MX records with policy mx entries
• Confirm policy syntax and mode
• Check for TLS-RPT configuration
• Re-test mail delivery and monitor reports

MTA-STS is part of a broader email security setup.

• SPF
• DKIM
• DMARC
• DNS propagation

You should verify SPF, DKIM, and DMARC to ensure complete email authentication. If issues persist, consider whether DNS behaviour such as propagation may also be contributing.

If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.

• MTA-STS Check
• TLS-RPT Check
• Email Security Check