Product · MTA-STS & TLS-RPT

Encrypted transport, without workarounds.

Q: Who hosts the policy file?

Mailantis hosts it under https://mta-sts. .com/.well-known/mta-sts.txt. You set a CNAME in DNS, we take care of TLS cert, availability, and updates.

Policy file hosting, TLS-RPT aggregation, failure reports made readable. Mailantis handles it, you monitor the result.

Start MTA-STS check Activate

app.mailantis.eu / mta-sts / demo-kunde.at

Managed Policy

Policy active and enforced

Active

Mode: enforce
Max-Age: 1 week
Cert expires: Aug 9, 2026 (in 82 days)
Self-check: ✓ today 13:14

_mta-sts.demo-kunde.at TXT "v=STSv1; id=20260318094215Z"

How it works

Host the policy, collect reports, switch to enforce

Host the policy file

We host the policy file at https://mta-sts.<domain> — you set a CNAME in DNS.

Activate TLS-RPT

Mailantis receives recipients' JSON reports and aggregates failure codes by sender, IP and cause.

Switch to enforce

As soon as reports show no real failures anymore, the wizard switches from testing to enforce.

Features

What two separate tools can't do

MTA-STS policy hosting on EU CDN, redundant

TLS-RPT aggregator (Mailantis email endpoint)

Failure report parser per RFC 8460

Mode tracking: none → testing → enforce wizard

id auto-update on every policy change

DANE recommendation as a complementary layer

Continuous monitoring + alerts on policy 404

Failure trend analysis over time

DNS & policy

One TXT record, one policy file

Two components work together

The DNS TXT record signals to recipients that a policy exists. The policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt defines the mode and allowed MX hosts.

The id value in the TXT record must be incremented on every policy change — Mailantis does this automatically.

Host: _mta-sts.example.com · Type: TXTv=STSv1; id=20260508001

https://mta-sts.example.com/.well-known/mta-sts.txtversion: STSv1
mode: enforce
mx: mail.example.com
mx: *.protection.outlook.com
max_age: 604800

Pricing

MTA-STS hosting from Pro

Monitoring

from €30/ month per domain

Policy hosting on Mailantis subdomain, TLS-RPT aggregation, enforce wizard. Scales with domain count.

Open app

Enterprise & Partner

on request

Multi-tenancy (MSP), white-label, SSO, custom SLA, on-premise. Consolidated invoice across sub-orgs.

Get in touch

Compare all plans in detail →

FAQ

Common questions about MTA-STS & TLS-RPT

Testing vs enforce — what's the difference?

In testing mode, a recipient reports TLS errors only via TLS-RPT but still delivers the mail. In enforce mode, mail is completely rejected on TLS error. Best practice: run testing for weeks, then switch to enforce.

What happens if the policy file goes offline?

In enforce mode with a valid max_age, recipients cache the policy locally — short outages are not a problem. Longer outages cause delivery failures. Mailantis hosts redundantly on an EU CDN.

MTA-STS and DANE — are both needed?

Complementary. DANE requires DNSSEC-signed DNS (rare in the DACH region), MTA-STS works without DNSSEC. We recommend MTA-STS as the foundation and DANE as an optional layer on top.

Who hosts the policy file?

Mailantis hosts it under https://mta-sts.<your-domain>.com/.well-known/mta-sts.txt. You set a CNAME in DNS, we take care of TLS cert, availability, and updates.

What are TLS-RPT failure reports?

Receiving servers send daily JSON reports with TLS issues encountered — aborted handshakes, cert mismatches, downgrade attempts. Mailantis aggregates them into readable overviews.

Enforce encrypted transport now.

Policy hosting in 5 minutes, enforce in 4 weeks.

Start Pro Read knowledge article