MTA-STS Policy Checker

Look up the _mta-sts TXT record and HTTPS policy file, then cross-check the policy mx patterns against the domain's real MX hosts.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What is MTA-STS and why does it matter?

MTA-STS (RFC 8461) is a mechanism that lets email domains declare they support TLS and that sending servers should refuse to deliver mail if a valid TLS connection cannot be established. Without MTA-STS, an attacker can perform a downgrade attack — stripping STARTTLS from the SMTP negotiation to receive mail in the clear. MTA-STS prevents this.

How does MTA-STS work?

Two parts: a DNS TXT record at _mta-sts.example.com signals policy existence, and an HTTPS policy file at https://mta-sts.example.com/.well-known/mta-sts.txt lists the authorised MX hostnames and the enforcement mode. Sending MTAs fetch the policy file, verify the MX hosts match, and enforce TLS. The HTTPS channel provides authentication that DNS alone cannot.

What is the difference between 'enforce' and 'testing' mode?

mode: enforce — sending servers must establish a valid TLS connection or reject the delivery attempt. mode: testing — servers attempt TLS but report failures via TLS-RPT without rejecting mail. Start with testing to collect reports and verify your setup before moving to enforce.

Do my MX hostnames need to match the policy exactly?

Yes — the policy file lists the MX patterns your receiving servers must match. This tool cross-checks your live MX records against the policy's mx entries and flags any mismatches. A mismatch in enforce mode would cause sending servers to reject delivery to your domain.