Guide

MTA-STS, explained — and how to set it up

MTA-STS forces other servers to deliver mail to you over an encrypted connection — closing the door on downgrade attacks.

Check your MTA-STS setup

What it is

MTA-STS (SMTP MTA Strict Transport Security) lets you require that mail sent to your domain is delivered over an encrypted TLS connection, and refused if TLS can't be negotiated. It has two parts: a small TXT record and an HTTPS-hosted policy file that lists your valid mail hosts and the enforcement mode.

Why it matters

By default, email between servers can fall back to plaintext, and an attacker on the network can strip encryption in a "downgrade attack" to read your mail. MTA-STS prevents that for inbound mail.

Pair it with TLS-RPT so providers report any delivery failures — your early warning that the policy or a certificate has a problem.

How to set it up

  1. 1Host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt listing your MX hosts and a mode.
  2. 2Make sure the mta-sts subdomain has a valid HTTPS certificate — the policy is only trusted over TLS.
  3. 3Publish the _mta-sts.yourdomain.com TXT record with a unique id value.
  4. 4Start at mode: testing (reports only), confirm nothing breaks, then switch to mode: enforce.

Record structure & options

Two parts: a small TXT record that points to a policy, and an HTTPS-hosted policy file that lists your valid MX hosts and whether to enforce TLS on inbound mail.

Where it lives
_mta-sts.yourdomain.com (TXT) + a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
Example
TXT:  v=STSv1; id=20240101000000Z
Policy file:
version: STSv1
mode: enforce
mx: *.yourdomain.com
max_age: 604800
Options
id=
Version stamp in the TXT record — change it whenever you update the policy file.
mode:
In the policy file — none, testing (report only) or enforce (reject non-TLS delivery).
mx:
The mail hosts allowed to receive your mail (wildcards allowed).
max_age:
How long (seconds) receivers cache the policy — 604800 = 1 week is typical.

Requires a valid HTTPS certificate on the mta-sts subdomain. Pair with TLS-RPT to get reports on failures.

Common problems

My MTA-STS policy isn't being picked up.
The most common cause is a missing or invalid TLS certificate on the mta-sts subdomain, or the policy file not being reachable at exactly /.well-known/mta-sts.txt. Both must be served over HTTPS.
I updated my policy but nothing changed.
Receivers cache the policy for max_age seconds. Change the id value in the TXT record whenever you edit the policy file so caches refresh.
Should I start in enforce mode?
No — start in testing mode and use TLS-RPT reports to confirm every legitimate server can deliver over TLS, then switch to enforce.

Check it — then keep it healthy

Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.

More guides