Host the policy file
Place a plain-text file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Minimum content: version, mode, mx list, max_age.
version: STSv1
mode: testing
mx: mx1.example.com
mx: mx2.example.com
max_age: 604800
Tool
MTA-STS check
Checks your _mta-sts DNS record AND the policy file at mta-sts.<domain> in a single run.
?domain=… works too.
·
—
—Finding
—
Explanation
—
Recommended record
—
Policy details
Mode
—
Policy id
—
max_age
—
TLS reachability
—
MX (policy)
—
Day-precise cert remaining lifetime cannot be measured from the browser — monitored daily inside the Mailantis account.
Open app →
TLS certificate
—
Issuer
—
Valid until
—
Hostname match
—
Subject alternative names
—
Notes
You should also check
What is MTA-STS?
MTA-STS (SMTP Mail Transfer Agent Strict Transport Security) enforces encrypted SMTP connections between mail servers. Without MTA-STS, SMTP often negotiates TLS already (opportunistic TLS), but can easily be downgraded to plaintext by a man-in-the-middle attack — receivers then quietly fall back without TLS. MTA-STS closes exactly that gap.
The setup consists of two parts. First, a TXT record at _mta-sts.<domain> with the ID of the current policy. Second, the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt with three mandatory fields: version, mode (none, testing, enforce), mx list and max_age.
Sending servers cache the policy file according to max_age and then strictly enforce TLS. In testing mode, violations are only reported via TLS-RPT; in enforce mode, the mail is not delivered if TLS isn't possible. Exactly this step from testing to enforce is the important decision.
Common MTA-STS mistakes
DNS record present, but policy file 404
The TXT record promises a policy that doesn't exist at the expected URL. Sending servers interpret this as a misconfiguration and fall back to opportunistic TLS.
Mode stuck on
testingfor months — never moved to enforceTesting only reports via TLS-RPT but doesn't enforce anything. Anyone who never switches the policy to
enforcehas effort without effect.Policy file not reachable via HTTPS
The spec requires
https://mta-sts.…, a valid certificate, no self-signed cert. With HTTP-only or cert errors, receivers ignore the policy.mxlist in policy doesn't match DNSThe MX hosts listed in the policy file must match the actual MX records. Discrepancy → sending servers reject, mail gets stuck.
max_agetoo low (< 86400)RFC 8461 recommends at least 86400 (1 day), preferably 604800 (1 week). Low values force receivers to constantly re-fetch, with little security gain.
idvalue in DNS not updatedAfter a policy change, the
idin the TXT record must be updated, otherwise receivers keep using their cached version — the fix doesn't take effect.
Fix issues — in 4 steps
Set DNS TXT with current id
Publish a TXT record at _mta-sts.<domain> with the id of the policy. Format: yyyymmdd + suffix. The id must be updated on every policy change.
_mta-sts IN TXT "v=STSv1; id=20240601000000Z"
Mode testing → monitor with TLS-RPT
Set up TLS-RPT in parallel (_smtp._tls.<domain>). After 2–4 weeks without failure reports, the mode can switch to enforce.
If no failures: enforce
Set the policy file to mode: enforce and update the id. From now on, sending servers block on TLS failures — mail only gets through over encrypted connections.
Want to check all 8 standards?
The full SelfCheck additionally tests SPF/DKIM/DMARC, BIMI, MTA-STS, TLS-RPT, DNSSEC and MX in a single run.
Start full SelfCheck →Frequently asked questions about MTA-STS
What is the difference between testing and enforce?
Testing lets mail through even when TLS fails and reports it via TLS-RPT. Enforce hard-blocks non-TLS connections — mail then doesn't get delivered if the policy file doesn't match.
What happens if the policy file goes offline?
Receivers use the last cached policy until
max_age expires. Only then is mail delivered unencrypted again. Still, an outage is a risk — host the policy file with high availability.Do I need MTA-STS and DANE?
MTA-STS is HTTPS-based and simpler; DANE requires DNSSEC. In the DACH region MTA-STS is enough as an entry point, both in parallel is best practice for maximum coverage.
How do I host the policy file?
Make it available on a web server at
https://mta-sts.<domain>/.well-known/mta-sts.txt. Plain text, same TLS requirements as any HTTPS page.