MTA-STS Record Checker: Secure Your Email Transport
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a security protocol designed to enforce secure SMTP connections between mail servers. It prevents downgrade attacks and man-in-the-middle (MITM) attacks by requiring mail servers to use TLS encryption when transmitting emails.
MTA-STS works through two components: a DNS TXT record published at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The DNS record announces the policy version, while the policy file specifies which mail servers (MX hosts) support secure connections and the enforcement mode.
This protocol ensures that email communication remains encrypted in transit, protecting sensitive information from interception and tampering. It's a critical component of modern email security alongside SPF, DKIM, and DMARC.
Why is MTA-STS Important?
- Prevents Downgrade Attacks: MTA-STS prevents attackers from forcing email servers to use unencrypted connections, ensuring that email transmission always uses TLS encryption.
- Protects Against MITM Attacks: By enforcing certificate validation, MTA-STS prevents man-in-the-middle attacks where attackers intercept email communications.
- Improves Email Security Posture: Implementing MTA-STS demonstrates a commitment to email security and builds trust with partners and customers.
- Complements DMARC: MTA-STS works alongside DMARC, SPF, and DKIM to create a comprehensive email authentication and security framework.
- Enhances Deliverability: Major email providers prioritize emails from domains with proper security configurations, improving inbox placement rates.
- Regulatory Compliance: Many industries require secure email communications to comply with data protection regulations like GDPR, HIPAA, and PCI-DSS.
How to Use This Tool
- Enter Domain Name: Type the domain name you want to check (e.g.,
gmail.com) into the "Domain Name" field. The tool accepts standard domain formats without protocols or paths. - Click Check MTA-STS Records: Hit the "Check MTA-STS Records" button. The tool will perform two queries: first, it checks for the DNS TXT record at
_mta-sts.yourdomain.com, and second, it attempts to fetch the policy file fromhttps://mta-sts.yourdomain.com/.well-known/mta-sts.txt. - Review DNS Record: The tool displays the DNS TXT record if found. This record should contain a version identifier like
v=STSv1; id=20231201where the ID represents your policy version. - Analyze Policy File: The policy file shows the enforcement mode (
enforce,testing, ornone), maximum age (how long the policy should be cached), and the list of authorized MX hosts that support TLS. - Address Issues: If any errors are detected, the tool provides specific feedback to help you troubleshoot configuration problems.
Other Related Important Sections
Understanding Policy Modes
Strictly requires TLS connections. Emails will fail if TLS cannot be established.
Reports policy violations but doesn't reject emails. Useful for testing configurations.
No enforcement. Policy exists but provides no security benefit.
Sample MTA-STS Policy File
version: STSv1 mode: enforce mx: mail.example.com max_age: 86400
This policy enforces TLS for mail.example.com and caches the policy for 24 hours (86400 seconds).
Common Implementation Issues
- Certificate Mismatch: Ensure your MX hosts have valid TLS certificates that match the hostnames in your policy.
- Policy File Accessibility: The policy file must be accessible via HTTPS at the exact URL
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. - DNS Record Format: The DNS TXT record must follow the exact format
v=STSv1; id=YYYYMMDDHHMMSS. - Max Age Setting: Use a reasonable max_age value (86400 for testing, up to 31536000 for production).
- MX Host Matching: All MX records must be listed in the policy file, or use wildcards like
*.example.com.
This Tool is Totally Free
Our MTA-STS Record Checker is completely free to use with no registration required, no hidden fees, and unlimited checks. We're committed to helping you secure your email infrastructure and protect your communications.