Network Diagnostic Tools

MTA-STS Check

Enforced TLS policy for inbound mail

What is MTA-STS?

MTA-STS lets a domain require that incoming mail be delivered over authenticated TLS, defending against downgrade and man-in-the-middle attacks. IPeek reads the _mta-sts TXT record and fetches the policy file published at mta-sts.your-domain. It closes the gap left by opportunistic STARTTLS, which an attacker can silently strip.

How MTA-STS publishes and enforces a policy

MTA-STS uses two parts. A TXT record at _mta-sts.your-domain holds a version and a policy ID that tells sending servers a policy exists and changes when you update it. The policy itself lives in a plain-text file served over HTTPS at https://mta-sts.your-domain/.well-known/mta-sts.txt. That file lists the version, the mode, the permitted MX hostnames, and a max_age caching lifetime. A sender that supports MTA-STS fetches and caches the policy, then refuses to deliver to any MX whose certificate fails to validate against it.

How to read your MTA-STS results

IPeek shows whether the _mta-sts TXT record exists and whether the policy file is reachable over HTTPS. The mode value is what matters most. none means no policy is in effect, testing means failures are reported but mail still flows, and enforce means a sender must abort delivery if TLS authentication fails. Check that the mx entries in the policy match your real MX records and that the HTTPS certificate on the policy host is valid. A high max_age, often 604800 seconds, improves protection because cached policies resist live tampering.

Common MTA-STS problems and how to fix them

The most common mistake is a TXT record that exists while the policy file returns a 404 or a redirect, which makes the policy unusable. The policy host must serve valid HTTPS, so an expired or mismatched certificate on mta-sts.your-domain breaks enforcement entirely. MX entries that drift out of sync with your DNS cause delivery failures once you switch to enforce. Roll out in testing first, monitor TLS-RPT reports for failures, and only move to enforce after confirming every MX presents a valid, matching certificate.

Frequently asked questions

What is the difference between MTA-STS testing and enforce mode?

In testing mode, senders that detect a TLS failure still deliver the mail but report the problem, letting you find issues without blocking traffic. In enforce mode, a sender must abort delivery to any MX whose certificate fails validation. Start in testing, watch your TLS-RPT reports, and switch to enforce only once no failures appear.

Where is the MTA-STS policy file located?

The policy file is served over HTTPS at https://mta-sts.your-domain/.well-known/mta-sts.txt, on a subdomain named mta-sts. The DNS TXT record at _mta-sts.your-domain only announces that a policy exists and carries an ID; the actual rules, including mode and permitted MX hosts, live in that HTTPS file. Both must be present and valid for MTA-STS to work.

How does MTA-STS differ from STARTTLS?

STARTTLS is opportunistic: it offers encryption but a network attacker can strip the STARTTLS advertisement and force plaintext delivery, undetected. MTA-STS adds a published policy that tells senders TLS is required and which MX certificates to trust, so a stripped or invalid TLS connection causes delivery to fail rather than silently downgrade. It hardens STARTTLS against downgrade attacks.

Does MTA-STS require DNSSEC?

No. MTA-STS deliberately relies on HTTPS and web PKI for its trust, not DNSSEC, which makes it easier to deploy than DANE. The policy file's HTTPS certificate provides authentication. If your domain already has DNSSEC, you can run DANE alongside MTA-STS, since the two mechanisms complement rather than conflict with each other.

How do I roll out MTA-STS safely?

Publish the TXT record and policy file in testing mode first, then enable TLS-RPT so sending servers email you reports of any TLS failures. Confirm your MX hostnames in the policy match DNS and that every MX presents a valid certificate. Once reports show no failures over a normal reporting cycle, change the mode to enforce and update the policy ID.

Related tools

Deutsch | English | Español | Français | Italiano | Português | Русский | Українська | 日本語 | 简体中文 | 한국어