SpoofCheck
Guides/MTA-STS

MTA-STS: Enforce TLS Encryption on Your Emails

Everything you need to know about MTA-STS to protect your emails in transit against interception attacks.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a protocol defined in RFC 8461. It allows a domain to declare that its mail servers support TLS encryption and to require that sending servers use an encrypted connection with a valid certificate.

Without MTA-STS, even if your servers support TLS, an attacker performing a man-in-the-middle (MITM) attack can force a downgrade to plaintext. The attacker can then intercept and read your emails in transit.

MTA-STS solves this by publishing a policy that tells sending servers: "you must use TLS with a valid certificate to send me emails, otherwise don't send them at all."

MTA-STS is complementary to SPF, DKIM and DMARC — those protect against identity spoofing, while MTA-STS protects the confidentiality of emails in transit.

How does MTA-STS work?

MTA-STS relies on two components: a DNS record and a policy file served over HTTPS.

  1. DNS TXT record — The domain publishes a TXT record at _mta-sts.yourdomain to signal MTA-STS support.
  2. HTTPS policy file — The domain hosts a file at https://mta-sts.yourdomain/.well-known/mta-sts.txt that defines the policy (mode, authorized MX servers, validity period).
  3. Sending server verification — Before sending an email, the sending server checks the DNS record and downloads the policy. If the mode is "enforce", it refuses to send the email without valid TLS.

The DNS record looks like this:

_mta-sts.yourdomain TXT "v=STSv1; id=20260406T000000;"

The policy file looks like this:

version: STSv1 mode: enforce mx: mail.yourdomain.com mx: *.yourdomain.com max_age: 86400

Each field has a specific meaning:

  • version— Always STSv1 (required).
  • modeenforce (block without TLS), testing (report but deliver) or none (disabled).
  • mx— Authorized MX servers (wildcards supported).
  • max_age— Policy cache duration in seconds (recommended: 86400 = 24h).

How to configure MTA-STS step by step

Step 1: Create the mta-sts subdomain

Create a subdomain mta-sts.yourdomain pointing to a web server that can serve content over HTTPS with a valid certificate. You can use GitHub Pages, Cloudflare Pages, or any static hosting.

Step 2: Create the policy file

Create the file /.well-known/mta-sts.txt on your subdomain with the following content (adjust the mx lines to match your servers):

version: STSv1 mode: testing mx: mail.yourdomain.com max_age: 86400

Start in testing mode to monitor for issues before switching to enforce.

Step 3: Add the DNS record

Add a TXT record to your DNS zone:

  • Type: TXT
  • Name / Host: _mta-sts
  • Value: v=STSv1; id=20260406T000000;
  • TTL: 3600

The identifier (id) must be changed each time you modify the policy to invalidate the cache of sending servers.

Step 4: Verify and switch to enforce

Test your configuration with our free verification tool. Once everything works correctly in testing mode, change the mode to enforce and update the identifier in the DNS record.

Bonus: TLSRPT for receiving reports

TLSRPT (TLS Reporting, RFC 8460) is the ideal companion to MTA-STS. It allows you to receive reports from sending servers when they encounter TLS issues with your domain.

Add a TXT record at _smtp._tls.yourdomain:

v=TLSRPTv1; rua=mailto:tls-reports@yourdomain

You'll then receive daily JSON reports indicating TLS negotiation failures, invalid certificates and downgrade attempts — just like DMARC reports but for in-transit encryption.

Frequently asked questions about MTA-STS

What's the difference between MTA-STS and STARTTLS?

STARTTLS is the TLS negotiation mechanism between mail servers. The problem is that it's "opportunistic": if an attacker strips the STARTTLS announcement from the server (stripping attack), the connection falls back to plaintext without anyone being notified. MTA-STS solves this by independently declaring (via HTTPS) that TLS is mandatory.

Does MTA-STS protect against spoofing?

No. MTA-STS protects the confidentiality of emails in transit (encryption), not the authenticity of the sender. To protect against spoofing, you need to configure SPF, DKIM and DMARC.

Which providers support MTA-STS?

Google (Gmail / Google Workspace), Microsoft (Outlook / Microsoft 365), and Yahoo support MTA-STS on the sending side. This means they will respect your MTA-STS policy when sending emails to your domain. On the receiving side, you need to configure it yourself on your domain.

Check your domain for free

Test your SPF, DKIM, DMARC, and MTA-STS configuration in one click. Our tool analyzes your domain and tells you exactly what needs to be fixed.

Test my domain

Related guides

SPF Guide

Learn how to configure an SPF record to authorize your sending servers.

DKIM Guide

Learn how to configure DKIM signatures to authenticate your emails.

DMARC Guide

Learn how DMARC orchestrates SPF and DKIM for complete protection.