Guide
MTA-STS, explained — and how to set it up
MTA-STS forces other servers to deliver mail to you over an encrypted connection — closing the door on downgrade attacks.
Check your MTA-STS setup →What it is
MTA-STS (SMTP MTA Strict Transport Security) lets you require that mail sent to your domain is delivered over an encrypted TLS connection, and refused if TLS can't be negotiated. It has two parts: a small TXT record and an HTTPS-hosted policy file that lists your valid mail hosts and the enforcement mode.
Why it matters
By default, email between servers can fall back to plaintext, and an attacker on the network can strip encryption in a "downgrade attack" to read your mail. MTA-STS prevents that for inbound mail.
Pair it with TLS-RPT so providers report any delivery failures — your early warning that the policy or a certificate has a problem.
How to set it up
- 1Host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt listing your MX hosts and a mode.
- 2Make sure the mta-sts subdomain has a valid HTTPS certificate — the policy is only trusted over TLS.
- 3Publish the _mta-sts.yourdomain.com TXT record with a unique id value.
- 4Start at mode: testing (reports only), confirm nothing breaks, then switch to mode: enforce.
Record structure & options
Two parts: a small TXT record that points to a policy, and an HTTPS-hosted policy file that lists your valid MX hosts and whether to enforce TLS on inbound mail.
TXT: v=STSv1; id=20240101000000Z Policy file: version: STSv1 mode: enforce mx: *.yourdomain.com max_age: 604800
- id=
- Version stamp in the TXT record — change it whenever you update the policy file.
- mode:
- In the policy file — none, testing (report only) or enforce (reject non-TLS delivery).
- mx:
- The mail hosts allowed to receive your mail (wildcards allowed).
- max_age:
- How long (seconds) receivers cache the policy — 604800 = 1 week is typical.
Requires a valid HTTPS certificate on the mta-sts subdomain. Pair with TLS-RPT to get reports on failures.
Common problems
- My MTA-STS policy isn't being picked up.
- The most common cause is a missing or invalid TLS certificate on the mta-sts subdomain, or the policy file not being reachable at exactly /.well-known/mta-sts.txt. Both must be served over HTTPS.
- I updated my policy but nothing changed.
- Receivers cache the policy for max_age seconds. Change the id value in the TXT record whenever you edit the policy file so caches refresh.
- Should I start in enforce mode?
- No — start in testing mode and use TLS-RPT reports to confirm every legitimate server can deliver over TLS, then switch to enforce.
Check it — then keep it healthy
Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.