What Is MTA-STS? SMTP TLS Policy Explained

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that allows a domain to enforce encrypted SMTP connections using TLS.

It protects email delivery from downgrade attacks and misconfigurations by telling sending mail servers that TLS must be used and that the receiving server must present a valid certificate.

You can check your MTA-STS configuration with the DNS Pro MTA-STS Check tool.

For comparison, you can also use MXToolbox: https://mxtoolbox.com/MTASTS.aspx

Without MTA-STS, SMTP delivery may fall back to unencrypted connections if TLS fails. This makes email vulnerable to interception or downgrade attacks.

MTA-STS ensures that sending servers either deliver securely using TLS or fail the delivery attempt instead of silently downgrading.

• The sending server looks for an MTA-STS policy via DNS
• It fetches the policy file over HTTPS
• It validates the policy rules (mode, MX hosts, TLS requirements)
• It enforces TLS and certificate validation during delivery

MTA-STS is enabled via a TXT record at _mta-sts.yourdomain.com.

_mta-sts.example.com. 3600 IN TXT "v=STSv1; id=2026040301"

The id value is used for cache invalidation when policies are updated.

The actual policy is hosted over HTTPS at a well-known location:

https://mta-sts.example.com/.well-known/mta-sts.txt

Example policy file:

version: STSv1
mode: enforce
mx: mail.example.com
mx: backup.example.com
max_age: 86400

• version → must be STSv1
• mode → none, testing, or enforce
• mx → allowed receiving mail servers
• max_age → how long the policy is cached (in seconds)

• none → policy is not enforced
• testing → policy is evaluated but not enforced
• enforce → TLS is required and delivery fails if conditions are not met

MTA-STS enforces secure delivery, while TLS-RPT provides visibility into delivery failures.

Together, they allow both enforcement and monitoring of SMTP TLS behaviour.

Learn more about reporting here: /articles/what-is-tls-rpt

• The _mta-sts TXT record exists and is correctly formatted
• The policy file is accessible over HTTPS
• The certificate on mta-sts.yourdomain.com is valid
• The MX hosts listed match your actual mail infrastructure
• The mode is appropriate (testing vs enforce)

• Publishing the DNS record but not hosting the policy file
• Using incorrect MX hostnames in the policy
• Leaving mode set to testing indefinitely
• Misconfigured HTTPS (invalid certificate or inaccessible endpoint)
• Forgetting to update the id field after policy changes

# Check MTA-STS DNS record
dig TXT _mta-sts.example.com

# Fetch policy file
curl https://mta-sts.example.com/.well-known/mta-sts.txt

If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.

• MTA-STS Check
• TLS-RPT Check
• Email Security Check