Free MTA-STS Checker

Check your domain's MTA-STS policy and TLS enforcement in one click.

This MTA-STS checker looks up your domain's _mta-sts record and reads the published policy file to tell you whether inbound mail is protected with enforced TLS — shown alongside your SPF, DKIM, DMARC and mail-server setup for the full email-security picture.

MTA-STS (Mail Transfer Agent Strict Transport Security) tells other mail servers to require a valid, encrypted TLS connection when delivering to your domain, closing the door on downgrade and man-in-the-middle attacks that plain SMTP is vulnerable to. A policy in 'enforce' mode is the goal; 'testing' mode reports problems without blocking yet.

Agencies and MSPs: the paid plan continuously monitors MTA-STS and every other email-security record across all your clients' domains, and alerts you the moment something changes or breaks.

Frequently asked questions

What is MTA-STS?
MTA-STS is a standard that lets your domain require encrypted TLS for inbound email, preventing attackers from downgrading or intercepting messages in transit.
How do I set up MTA-STS?
Publish a TXT record at _mta-sts.yourdomain.com, host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with mode: enforce, and add the matching MX hosts. Pair it with TLS-RPT to receive failure reports.
Is MTA-STS required?
It's not strictly required, but it meaningfully hardens inbound email security and is recommended for any domain that receives mail — especially alongside DMARC at enforcement.