What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that tells receiving mail servers to use TLS when connecting to your mail server. Think of it as HSTS for email — it prevents downgrade attacks where an attacker forces a plaintext SMTP connection.
How MTA-STS Works
- Your domain publishes a policy at
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt - Sending servers check this policy before delivering mail
- If the policy says
mode: enforce, the sender MUST use TLS — if TLS fails, the delivery fails
MTA-STS Policy File
Host a file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1 mode: enforce max_age: 604800 mx: mail.yourdomain.com
Mode Options
mode: testing— Report failures but don't enforce TLSmode: enforce— Require TLS, reject on failuremode: none— Disable MTA-STS (used for opting out)
DNS Record
Add a TXT record at _mta-sts.yourdomain.com:
v=STSv1; id=20260425000000
The id changes whenever your policy changes — sending servers re-fetch the policy when the ID changes.
TLS Reporting (TLS-RPT)
Alongside MTA-STS, set up TLS reporting to get notified about TLS failures:
DNS TXT record at _smtp._tls.yourdomain.com:
v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com
Check Your MTA-STS Setup
Our free mailcheck tool checks MTA-STS and TLS-RPT along with SPF, DKIM, DMARC, and BIMI. Cloudflare scores 92/100 — see how your domain compares.