Enforced TLS policy for inbound mail
DNS & Records
DNS Lookup Every DNS record for any domain A Record Lookup IPv4 addresses for a domain AAAA Record Lookup IPv6 addresses for a domain MX Lookup Mail servers for a domain NS Lookup Authoritative name servers TXT Lookup TXT records, SPF, verification CNAME Lookup Canonical name (alias) records SOA Lookup Start of Authority record SRV Lookup Service location records CAA Lookup Which CAs may issue certificates Reverse DNS (PTR) IP address to hostname DNSSEC Check Is the domain signed and validated? DNS Health Check A full delegation & DNS report cardEmail Deliverability
SPF Check Validate your Sender Policy Framework record DMARC Check Inspect and grade your DMARC policy DKIM Check Find and validate your DKIM public key Blacklist Check Check an IP against email blocklists (DNSBLs) SMTP Test Connect to a mail server and check STARTTLS MTA-STS Check Enforced TLS policy for inbound mail BIMI Check Brand logo record for email TLS-RPT Check SMTP TLS reporting policyNetwork & Web
SSL Certificate Check Inspect a site's TLS certificate and expiry HTTP Header Check Inspect response headers, redirects and security Ping (TCP) Reachability and latency over TCP Port Check Which common ports are openDomain
WHOIS Lookup Registration data for domains, IPs and ASNsMTA-STS lets a domain require that incoming mail be delivered over authenticated TLS, defending against downgrade and man-in-the-middle attacks. IPeek reads the _mta-sts TXT record and fetches the policy file published at mta-sts.your-domain. It closes the gap left by opportunistic STARTTLS, which an attacker can silently strip.
MTA-STS uses two parts. A TXT record at _mta-sts.your-domain holds a version and a policy ID that tells sending servers a policy exists and changes when you update it. The policy itself lives in a plain-text file served over HTTPS at https://mta-sts.your-domain/.well-known/mta-sts.txt. That file lists the version, the mode, the permitted MX hostnames, and a max_age caching lifetime. A sender that supports MTA-STS fetches and caches the policy, then refuses to deliver to any MX whose certificate fails to validate against it.
IPeek shows whether the _mta-sts TXT record exists and whether the policy file is reachable over HTTPS. The mode value is what matters most. none means no policy is in effect, testing means failures are reported but mail still flows, and enforce means a sender must abort delivery if TLS authentication fails. Check that the mx entries in the policy match your real MX records and that the HTTPS certificate on the policy host is valid. A high max_age, often 604800 seconds, improves protection because cached policies resist live tampering.
The most common mistake is a TXT record that exists while the policy file returns a 404 or a redirect, which makes the policy unusable. The policy host must serve valid HTTPS, so an expired or mismatched certificate on mta-sts.your-domain breaks enforcement entirely. MX entries that drift out of sync with your DNS cause delivery failures once you switch to enforce. Roll out in testing first, monitor TLS-RPT reports for failures, and only move to enforce after confirming every MX presents a valid, matching certificate.
In testing mode, senders that detect a TLS failure still deliver the mail but report the problem, letting you find issues without blocking traffic. In enforce mode, a sender must abort delivery to any MX whose certificate fails validation. Start in testing, watch your TLS-RPT reports, and switch to enforce only once no failures appear.
The policy file is served over HTTPS at https://mta-sts.your-domain/.well-known/mta-sts.txt, on a subdomain named mta-sts. The DNS TXT record at _mta-sts.your-domain only announces that a policy exists and carries an ID; the actual rules, including mode and permitted MX hosts, live in that HTTPS file. Both must be present and valid for MTA-STS to work.
STARTTLS is opportunistic: it offers encryption but a network attacker can strip the STARTTLS advertisement and force plaintext delivery, undetected. MTA-STS adds a published policy that tells senders TLS is required and which MX certificates to trust, so a stripped or invalid TLS connection causes delivery to fail rather than silently downgrade. It hardens STARTTLS against downgrade attacks.
No. MTA-STS deliberately relies on HTTPS and web PKI for its trust, not DNSSEC, which makes it easier to deploy than DANE. The policy file's HTTPS certificate provides authentication. If your domain already has DNSSEC, you can run DANE alongside MTA-STS, since the two mechanisms complement rather than conflict with each other.
Publish the TXT record and policy file in testing mode first, then enable TLS-RPT so sending servers email you reports of any TLS failures. Confirm your MX hostnames in the policy match DNS and that every MX presents a valid certificate. Once reports show no failures over a normal reporting cycle, change the mode to enforce and update the policy ID.