MTA-STS Validator
Check a domain's MTA-STS DNS record and hosted policy file.
Validation Result:
Validating Your MTA-STS Policy
MTA-STS (Mail Transfer Agent Strict Transport Security) protects your inbound email from downgrade and man-in-the-middle attacks by enforcing TLS encryption. A successful implementation requires two components to work together perfectly:
- A DNS Record: A TXT record at `_mta-sts.yourdomain.com` signals that you have a policy.
- A Policy File: A plain text file hosted at `https://mta-sts.yourdomain.com/.well-known/mta-sts.txt` that defines the rules.
Our validator checks both of these components to ensure they are correctly configured and publicly accessible, confirming that your policy can be successfully retrieved and applied by sending mail servers.
MTA-STS Validator FAQs
What are the common errors in an MTA-STS policy file?
Common errors in an mta-sts.txt file include incorrect versioning (it must be STSv1), invalid mode values (must be 'enforce', 'testing', or 'none'), syntax errors in the mx patterns, or a max_age value that is too low. The file must also be served with a 'text/plain' content type.
What does it mean if my MTA-STS DNS record is not found?
If the `_mta-sts` DNS record is not found, other mail servers will not know that you have an MTA-STS policy. This record is the starting point that signals to servers to look for your policy file. Without it, your policy will not be used.
How do I test my MTA-STS policy without breaking email?
To test your MTA-STS policy safely, you should set the mode to 'testing' in your policy file. This mode allows other servers to evaluate your policy and send TLS-RPT reports about potential connection failures without actually blocking any emails. This gives you a chance to fix issues before moving to 'enforce' mode.