MTA-STS & TLS-RPT Checker

What is MTA-STS?

MTA-STS (SMTP MTA Strict Transport Security, RFC 8461) lets a domain tell sending mail servers that messages must be delivered over TLS with a valid certificate. Plain SMTP negotiates encryption opportunistically with STARTTLS, which an active attacker can strip to force delivery in clear text — MTA-STS closes that downgrade gap.

A domain advertises support with a _mta-sts.<domain> TXT record (for example v=STSv1; id=20240101000000) and publishes the actual policy over HTTPS at https://mta-sts.<domain>/.well-known/mta-sts.txt. The policy lists the allowed MX hosts, the enforcement mode, and a max_age caching lifetime.

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a companion _smtp._tls.<domain> TXT record that names an address — the rua — where receiving servers send daily reports of TLS connection successes and failures. Without it, a broken policy or certificate can silently block mail and you would never find out.

TLS-RPT is independent of MTA-STS: it also surfaces problems with DANE/DNSSEC-based TLS. Publishing both gives you enforcement plus the visibility to operate it safely.

How this checker works

We look up the _mta-sts TXT record and validate its syntax, then fetch the policy file over HTTPS and parse version, mode, every mx line, and max_age. We report whether the mode is enforce, testing, or none, and flag a missing MX list, a missing or very low max_age, and a policy that cannot be fetched. Separately we read _smtp._tls and confirm it declares a valid rua reporting address.

All lookups are live and read-only; we never change your DNS or contact your mail servers.

Frequently asked questions

What is the difference between mode: enforce, testing, and none?

enforce tells senders to refuse delivery if TLS or the certificate/MX check fails — full protection. testing asks senders to deliver anyway but send TLS-RPT reports about failures, which is the safe way to roll out. none effectively withdraws the policy. Start in testing, watch the reports, then move to enforce.

Do I still need MTA-STS if I already have SPF, DKIM, and DMARC?

Yes — they protect different things. SPF, DKIM, and DMARC authenticate who sent a message and stop spoofing. MTA-STS protects the transport: it stops an attacker from downgrading the connection and reading or tampering with mail in transit.

What max_age should I use?

max_age is how long (in seconds) senders cache your policy. A longer value is safer against downgrade attacks because an attacker cannot easily make senders forget the policy; the spec allows up to 31557600 (one year). Many operators run 604800 (one week) or more once the policy is stable. A very low value weakens the protection.

Why does the checker say the policy could not be fetched?

The _mta-sts TXT record only advertises that a policy exists — the policy itself must be served over HTTPS at https://mta-sts.<domain>/.well-known/mta-sts.txt with a valid certificate. A missing host, a bad certificate, or a redirect will make the fetch fail, and senders will treat the policy as absent.