MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that forces email connections between mail servers to be encrypted with TLS. It prevents 'downgrade attacks' where an attacker could try to intercept emails by forcing an unencrypted connection.

Back to Tools

MTA-STS Policy Generator

Create the content for your `mta-sts.txt` policy file. This file must be hosted at `https://mta-sts.yourdomain.com/.well-known/mta-sts.txt`.

Policy Mode

Mail Server Patterns (one per line, e.g., mail.yourdomain.com)

Max Age (in seconds)

Generated mta-sts.txt Content:

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard designed to protect your inbound email from interception. It ensures that when other mail servers send email to your domain, the connection must be encrypted using secure TLS.

This prevents man-in-the-middle and downgrade attacks, where an attacker could otherwise force an unencrypted connection to read your sensitive email traffic. Paired with DMARC, MTA-STS provides an essential layer of security for modern email communication.

MTA-STS Generator FAQs

How does MTA-STS work with DMARC?

MTA-STS and DMARC are complementary technologies that solve different problems. DMARC authenticates the *sender* of an email to prevent spoofing. MTA-STS secures the *connection* the email travels over to prevent eavesdropping. Using both provides a robust, multi-layered email security posture.

What does 'testing' mode do for MTA-STS?

The 'testing' mode allows you to publish an MTA-STS policy and receive TLS-RPT reports about connection failures without actually enforcing TLS encryption. This lets you identify any potential issues with your mail servers' TLS configurations before moving to 'enforce' mode, which would block insecure connections.