MTA-STS Generator

Generate MTA-STS DNS records and policy files to enforce TLS encryption for incoming email to your domain.

Configuration

Configure your MTA-STS policy settings

Domain Name

The domain you want to configure MTA-STS for

Policy Mode

Senders will report TLS failures but still deliver mail without TLS if needed. Use this to monitor before enforcing.

MX Hostnames

Enter the mail server hostnames that are allowed to receive email for your domain. Use wildcards (e.g., *.mail.protection.outlook.com) if needed.

Max Age (seconds)

(7 days)

How long senders should cache your policy. Default: 604800 (1 week). Maximum: 31557600 (1 year).

Implementation Instructions

1. Add the DNS TXT Record

Log into your DNS provider and add a TXT record for _mta-sts.yourdomain.com. The value should be the generated record above. DNS propagation may take up to 48 hours.

2. Host the Policy File

Create a subdomain mta-sts.yourdomain.com and configure it to serve the policy file at /.well-known/mta-sts.txt. The subdomain MUST use HTTPS with a valid SSL certificate.

3. Test Your Configuration

After setup, verify that your policy is accessible at the correct URL and that the DNS record resolves correctly. Start with testing mode to monitor for issues before switching to enforce.

4. Monitor with TLS-RPT

Configure TLS-RPT (TLS Reporting) to receive reports about TLS connection failures. This helps you identify issues before they affect email delivery.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that enables mail servers to declare their ability to receive TLS-secured connections and to specify whether sending servers should refuse to deliver to MX hosts that do not offer TLS.

What MTA-STS Protects Against

Man-in-the-middle attacks on email delivery
TLS downgrade attacks
DNS spoofing attacks targeting MX records
Eavesdropping on email in transit

How MTA-STS Works

Sender checks for _mta-sts DNS record
Fetches policy from https://mta-sts.domain/.well-known/mta-sts.txt
Validates receiving server against policy
Enforces TLS based on policy mode

Start with Testing Mode

We strongly recommend starting with testing mode before switching to enforce. In testing mode:

Senders will attempt TLS connections but still deliver email if TLS fails
You can identify misconfigured mail servers or certificate issues
TLS-RPT reports will show any failures without affecting delivery

Only switch to enforce mode after monitoring shows consistent TLS success.

MTA-STS and TLS-RPT

TLS-RPT (TLS Reporting) works alongside MTA-STS to provide visibility into TLS connection issues. When configured:

Senders report successful and failed TLS connections
You receive aggregate reports showing connection statistics
Identifies certificate problems, MX misconfigurations, and policy violations
Essential for monitoring MTA-STS effectiveness

To enable TLS-RPT, add a DNS TXT record for _smtp._tls.yourdomain.com:

v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com

Use our TLS-RPT Analyzer to analyze your TLS reports.