Free MTA-STS Checker

Validate your MTA-STS (Mail Transfer Agent Strict Transport Security) policy to ensure SMTP connections are always encrypted and prevent downgrade attacks.

No signup

Instant check

100% free

What Is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security protocol that enforces TLS encryption for all SMTP connections to your domain. It prevents man-in-the-middle downgrade attacks that strip TLS, forcing sending mail servers to use encrypted channels or fail delivery.

Why It Matters

Without MTA-STS, an attacker can silently downgrade SMTP connections to plaintext, exposing email content. MTA-STS prevents this by requiring TLS for all inbound connections.

Common Mistakes

Publishing MTA-STS without a matching DNS TXT record, using mode=testing forever without progressing to enforce, and not updating the id when changing policy are common errors.

_mta-sts TXT

v=STSv1; id=20240101

HTTPS Policy

mode: enforce

MTA-STS_ENGINE_V2

ENFORCED

How It Works

Input Domain

Type your domain into the MTA-STS checker.

Check TXT Record

We verify the DNS TXT record at _mta-sts.yourdomain.

Fetch Policy

We retrieve the policy file from https://mta-sts.yourdomain/.well-known/mta-sts.txt.

Validate Policy

We check mode, max_age, and MX host list for correctness.

TXT Record Check

Verifies the DNS TXT record at _mta-sts is present and correctly formatted with v=STSv1 and a unique id for cache busting.

Policy File Retrieval

Fetches the MTA-STS policy file from the well-known URL over HTTPS. Validates the file is accessible and properly formatted.

Mode Detection

Checks whether the policy mode is enforce, testing, or none. Enforce is required for full protection against downgrade attacks.

MX Host Validation

Lists all authorized MX hosts in the policy file. Ensures only your legitimate mail servers are trusted for encrypted delivery.

Max Age Check

Validates the max_age value. Longer values reduce policy refresh frequency but delay updates. Shorter values increase agility.

TLS Requirement

Confirms the policy file is served over HTTPS. HTTP-only delivery is invalid per RFC 8461 and is flagged as a critical error.

Frequently Asked Questions

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security protocol that forces TLS encryption for all SMTP connections to your domain. It prevents man-in-the-middle downgrade attacks that strip encryption.

How does MTA-STS work?

You publish a DNS TXT record at _mta-sts.yourdomain and host a policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt. Sending mail servers fetch the policy and refuse to deliver without TLS if mode is enforce.

What is the difference between MTA-STS and DANE?

MTA-STS works at the application layer using a policy file over HTTPS. DANE works at the DNS layer using TLSA records with DNSSEC. Both enforce SMTP TLS but use different mechanisms. Ideally, use both.

Should I use mode=testing or mode=enforce?

Start with mode=testing to monitor delivery issues without rejecting mail. After confirming all MX hosts support TLS correctly, switch to mode=enforce for full protection.

What happens if my MX servers don't support TLS?

With mode=enforce, sending servers will refuse delivery to your domain if TLS cannot be negotiated. Ensure all MX hosts support TLS before enabling enforce mode.

Is this MTA-STS checker free?

Yes, this tool is 100% free with no signup required. For automated MTA-STS monitoring, policy drift detection, and MX TLS health tracking, upgrade to CyberFurl Pro.

Related Security Tools

DMARC Checker

Validate email policy

Need Continuous Email Security Monitoring?

Automate MTA-STS, DMARC, SPF, and DKIM checks. Get alerted when policies drift, expire, or break across all your email domains.

Start Free Trial View Pricing