Skip to main content
ShieldMarc
100% free, no sign-up needed

Free MTA-STS Checker

Enter any domain below to check whether MTA-STS (Mail Transfer Agent Strict Transport Security) is configured. We verify the DNS TXT record and fetch the policy file to show the mode, authorised MX hosts, and max age.

New to MTA-STS? Read our MTA-STS and TLS-RPT Explained guide for a full explanation.

What Is MTA-STS?

MTA-STS (RFC 8461) is a mechanism that allows mail domains to declare that they support TLS for incoming SMTP connections and to specify whether sending mail servers should refuse to deliver to MX hosts that do not offer TLS with a valid certificate. Without MTA-STS, opportunistic TLS can be downgraded by an active attacker, leaving email vulnerable to interception.

Why Should You Enable MTA-STS?

  • Prevent Downgrade Attacks: MTA-STS tells sending servers to require TLS, preventing attackers from stripping encryption during mail delivery.
  • Complement STARTTLS: STARTTLS alone is opportunistic and can be bypassed. MTA-STS makes TLS mandatory for senders that support it.
  • Visibility with TLS-RPT: Pair MTA-STS with TLS-RPT to receive reports when sending servers encounter TLS failures delivering to your domain.
  • Industry Best Practice: Major providers like Google and Microsoft support MTA-STS. Enabling it signals your domain takes email security seriously.

How MTA-STS Works

MTA-STS has two components: a DNS TXT record at _mta-sts.yourdomain.com that signals support, and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt that declares the mode (none, testing, or enforce), the authorised MX hostnames, and how long senders should cache the policy.

Need Automated Monitoring?

This free tool is great for one-off checks. If you need continuous monitoring of MTA-STS, TLS-RPT, DMARC, SPF, DKIM, SSL, and more across all your domains, join the early access list for up to 90 days free.

Want the full picture?

Our Security Grade checks MTA-STS alongside DMARC, SPF, DNSSEC, CAA, SSL, and domain registration in one scan.

Frequently Asked Questions

What is the difference between MTA-STS and STARTTLS?

STARTTLS is opportunistic: a sending server will attempt TLS but fall back to plaintext if TLS fails. MTA-STS makes TLS mandatory by telling senders they must require a valid certificate and refuse to deliver over plaintext.

Do I need a web server to host the MTA-STS policy?

Yes. The policy file must be served over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Many providers (Cloudflare Workers, GitHub Pages, or your existing web host) can serve this file with minimal configuration.

Should I start with testing or enforce mode?

Start with mode: testing and pair it with TLS-RPT to receive failure reports. Once you confirm there are no legitimate delivery issues, switch to mode: enforce.

Does MTA-STS affect my Security Grade?

Yes. MTA-STS is a check in the Security Grade framework. Configuring MTA-STS is one of the requirements for reaching a strong Security Grade.

Related Tools

Related Guides