MTA-STS Record Checker

Enter a domain name to check its MTA-STS configuration (DNS & Policy) instantly.

✨ 100% Free Tool

MTA-STS Record Checker: Secure Your Email Transport

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security protocol designed to enforce secure SMTP connections between mail servers. It prevents downgrade attacks and man-in-the-middle (MITM) attacks by requiring mail servers to use TLS encryption when transmitting emails.

MTA-STS works through two components: a DNS TXT record published at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The DNS record announces the policy version, while the policy file specifies which mail servers (MX hosts) support secure connections and the enforcement mode.

This protocol ensures that email communication remains encrypted in transit, protecting sensitive information from interception and tampering. It's a critical component of modern email security alongside SPF, DKIM, and DMARC.

Why is MTA-STS Important?

  • Prevents Downgrade Attacks: MTA-STS prevents attackers from forcing email servers to use unencrypted connections, ensuring that email transmission always uses TLS encryption.
  • Protects Against MITM Attacks: By enforcing certificate validation, MTA-STS prevents man-in-the-middle attacks where attackers intercept email communications.
  • Improves Email Security Posture: Implementing MTA-STS demonstrates a commitment to email security and builds trust with partners and customers.
  • Complements DMARC: MTA-STS works alongside DMARC, SPF, and DKIM to create a comprehensive email authentication and security framework.
  • Enhances Deliverability: Major email providers prioritize emails from domains with proper security configurations, improving inbox placement rates.
  • Regulatory Compliance: Many industries require secure email communications to comply with data protection regulations like GDPR, HIPAA, and PCI-DSS.

How to Use This Tool

  1. Enter Domain Name: Type the domain name you want to check (e.g., gmail.com) into the "Domain Name" field. The tool accepts standard domain formats without protocols or paths.
  2. Click Check MTA-STS Records: Hit the "Check MTA-STS Records" button. The tool will perform two queries: first, it checks for the DNS TXT record at _mta-sts.yourdomain.com, and second, it attempts to fetch the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
  3. Review DNS Record: The tool displays the DNS TXT record if found. This record should contain a version identifier like v=STSv1; id=20231201 where the ID represents your policy version.
  4. Analyze Policy File: The policy file shows the enforcement mode (enforce, testing, or none), maximum age (how long the policy should be cached), and the list of authorized MX hosts that support TLS.
  5. Address Issues: If any errors are detected, the tool provides specific feedback to help you troubleshoot configuration problems.

Other Related Important Sections

Understanding Policy Modes

enforce

Strictly requires TLS connections. Emails will fail if TLS cannot be established.

testing

Reports policy violations but doesn't reject emails. Useful for testing configurations.

none

No enforcement. Policy exists but provides no security benefit.

Sample MTA-STS Policy File

version: STSv1
mode: enforce
mx: mail.example.com
max_age: 86400

This policy enforces TLS for mail.example.com and caches the policy for 24 hours (86400 seconds).

Common Implementation Issues

  • Certificate Mismatch: Ensure your MX hosts have valid TLS certificates that match the hostnames in your policy.
  • Policy File Accessibility: The policy file must be accessible via HTTPS at the exact URL https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
  • DNS Record Format: The DNS TXT record must follow the exact format v=STSv1; id=YYYYMMDDHHMMSS.
  • Max Age Setting: Use a reasonable max_age value (86400 for testing, up to 31536000 for production).
  • MX Host Matching: All MX records must be listed in the policy file, or use wildcards like *.example.com.

This Tool is Totally Free

Our MTA-STS Record Checker is completely free to use with no registration required, no hidden fees, and unlimited checks. We're committed to helping you secure your email infrastructure and protect your communications.

Frequently Asked Questions

What is the purpose of an MTA-STS Record Checker?

An MTA-STS Record Checker validates two critical components: your DNS TXT record (`_mta-sts`) and your HTTPS policy file. It ensures your domain is correctly configured to force TLS encryption for inbound emails, protecting against downtime attacks and securing your SMTP infrastructure.

How do I fix "STSFetchResult.NONE"?

This error means the MTA-STS policy file is missing or unreachable. Ensure you have a valid SSL/TLS certificate for `mta-sts.yourdomain.com` and that the file exists at `/.well-known/mta-sts.txt`. The server must respond with a 200 OK status and the correct `text/plain` content type.

Can I enable MTA-STS without DMARC?

Yes, technically you can, but it is not recommended. DMARC and MTA-STS are complementary; DMARC authenticates the sender (preventing spoofing), while MTA-STS secures the transport channel (preventing interception). Using both provides the highest level of email security.

What does "Remote certificate failed validation" mean?

This error occurs when the destination mail server's SSL/TLS certificate does not match the hostname in the MX record or is expired/untrusted. MTA-STS requires a valid chain of trust to preventing Man-in-the-Middle (MITM) attacks.

Why is my MTA-STS record invalid?

An invalid record often stems from syntax errors. The _mta-sts DNS record must be a TXT record starting with `v=STSv1;` followed by a unique `id=` tag. Common mistakes include missing semicolons, using the wrong record type, or publishing it at the root domain instead of the `_mta-sts` subdomain.

How often should I update the `id` tag?

You must update the `id` value in your DNS record every time you modify your policy file. This signifies a version change to sending mail servers, prompting them to fetch the new policy immediately instead of using the cached version.

What is the difference between "testing" and "enforce"?

In `testing` mode, policy failures are reported via TLS-RPT but emails are still delivered. In `enforce` mode, emails that fail TLS validation or policy checks are rejected. Always start with testing to avoid accidental delivery interruptions.

Do I need a dedicated IP for MTA-STS?

No, you don't need a dedicated IP, but you do need a web server (like Nginx, Apache, or a cloud bucket) that can serve the policy file via HTTPS on the `mta-sts` subdomain. A valid SSL certificate for that subdomain is mandatory.

Related DNS & Network Tools

Explore more powerful tools in this category.

MX Record Checker

Check Mail Exchange (MX) records for any domain name instantly.

SPF Record Checker

Verify Sender Policy Framework (SPF) records to prevent email spoofing.

DKIM Record Lookup

Retrieve and verify DomainKeys Identified Mail (DKIM) records.

DMARC Checker

Analyze DMARC records to ensure email authentication policies.

BIMI Record Checker

Check Brand Indicators for Message Identification (BIMI) records.

TLS-RPT Record Checker

Check TLS Reporting (TLS-RPT) DNS records.

Email Blacklist Checker

Check if your mail server IP is listed on major DNSBL blacklists.

Online Port Checker

Check if a specific port is open on a target server or IP.

Advance DNS Leak Test

Verify if your VPN is leaking DNS queries and protect your online privacy.

Resolve IP to Hostname

Perform a reverse DNS lookup to find the hostname of an IP.

Website to IP Lookup

Convert domain names to IP addresses with detailed DNS and geolocation information.

Advanced Traceroute Online

Record the whole path through which network request routes to the provided Domain or IP Address.

Advanced - IPsec VPN Phase 1 & 2 Parameter Matcher

Troubleshoot VPN site-to-site configuration mismatches by comparing Local and Remote Phase 1 and Phase 2 parameters.

Advanced DNSSEC Checker

Verify DNSSEC records (DNSKEY, DS, RRSIG) and check the Chain of Trust status instantly.

Advanced DANE Record Checker

Check and validate TLSA records for DANE (DNS-Based Authentication of Named Entities).

Advanced VoIP MOS Score Calculator

Calculate Mean Opinion Score (MOS) for VoIP based on Latency, Jitter, and Packet Loss.

Advanced Fresnel Zone Calculator

Calculate 1st Fresnel Zone radius and recommended clearance for wireless links.

Advanced EIRP Calculator

Calculate Effective Isotropic Radiated Power (EIRP) for wireless links.

Advanced Fiber Loss Budget Calculator

Calculate total optical fiber loss budget, including splices and connectors, for reliable network planning.

Advanced Antenna Downtilt and Coverage Calculator

Calculate optimal antenna downtilt angle and coverage radius for precise network planning.

Advanced MTU Calculator

Calculate MTU, MSS, and protocol overheads (IPv4, IPv6, VLAN, PPPoE, etc.) for network optimization.