What Is MTA-STS and How to Set It Up (with TLS-RPT)

MTA-STS (Mail Transfer Agent Strict Transport Security) lets domains require TLS encryption and valid certificates for SMTP delivery, reducing downgrade/MITM risk and limiting delivery to trusted MX hosts.

Test your MTA-STS now →

Why implement MTA-STS?

1) Enforce TLS

Prevent opportunistic fallbacks by requiring STARTTLS and certificate validation during SMTP handshakes.

2) Pin allowed MX

Only the MX hosts listed in your policy are considered valid for delivery to your domain.

3) Safer rollout

Use mode: testing first, monitor reports, then advance to mode: enforce.

MTA-STS components

DNS TXT record
Publish at _mta-sts.<domain> with v=STSv1 and a unique id=… to signal policy updates.
HTTPS policy file
Serve at https://mta-sts.<domain>/.well-known/mta-sts.txt with version, mode, one or more mx lines, and max_age.
TLS-RPT (recommended)
Publish a DNS TXT record at _smtp._tls.<domain> to receive JSON reports about TLS/STS connection results.

How to set up MTA-STS

Step 1 — Host the policy file over HTTPS

Create a small text file at https://mta-sts.<your-domain>/.well-known/mta-sts.txt:

Example — mxtoolbox.com policy file
version: STSv1
mode: testing
mx: mx1.mxtoolbox.com
mx: mx2.mxtoolbox.com
max_age: 604800

Tips: Start with mode: testing. List each authorized MX with its own mx: line. Use a conservative max_age (e.g., 7 days) during rollout.

Step 2 — Announce MTA-STS via DNS TXT

Publish a TXT record at _mta-sts.<your-domain>:

Example — mxtoolbox.com MTA-STS TXT
_mta-sts.mxtoolbox.com.  IN  TXT  "v=STSv1; id=20250820080000Z;"

Increment id (often a timestamp) whenever the policy file changes to force senders to re-fetch it.

Step 3 — (Recommended) Enable TLS-RPT reporting

Publish a TLS reporting TXT record at _smtp._tls.<your-domain> to receive JSON reports that summarize TLS/MTA-STS connection successes and failures:

Example — mxtoolbox.com TLS-RPT TXT
_smtp._tls.mxtoolbox.com.  IN  TXT  "v=TLSRPTv1; rua=mailto:tlsrpt@mxtoolbox.com"

You can specify multiple reporting URIs (mailto and/or HTTPS) separated by commas in rua=.

See a sample TLS-RPT JSON report

Typical structure for a daily report covering attempts to deliver to mxtoolbox.com:

{
  "organization-name": "Example Mail Provider",
  "date-range": {
    "start-datetime": "2025-08-19T00:00:00Z",
    "end-datetime": "2025-08-19T23:59:59Z"
  },
  "contact-info": "tlsrpt@example.com",
  "report-id": "20250819-1",
  "policies": [
    {
      "policy": {
        "policy-type": "sts",
        "policy-string": "version: STSv1; mode: enforce; mx: mx1.mxtoolbox.com; mx: mx2.mxtoolbox.com; max_age: 604800",
        "policy-domain": "mxtoolbox.com"
      },
      "summary": {
        "total-successful-session-count": 1530,
        "total-failure-session-count": 12
      },
      "failure-details": [
        {
          "result-type": "certificate-expired",
          "sending-mta-ip": "203.0.113.45",
          "failed-session-count": 5,
          "additional-information": "Remote certificate expired on 2025-08-15"
        },
        {
          "result-type": "starttls-not-supported",
          "sending-mta-ip": "198.51.100.25",
          "failed-session-count": 7,
          "additional-information": "STARTTLS not offered by target MX"
        }
      ]
    }
  ]
}

Use these reports to spot certificate problems, missing STARTTLS, or MX mismatches—especially while in mode: testing.

Step 4 — Test your configuration

Verify the DNS TXT record and the HTTPS policy file are reachable and valid:

Run MTA-STS Lookup & Policy Test →

Step 5 — Enforce

  1. Update the policy file to mode: enforce once reports look healthy.
  2. Increment the DNS TXT id to notify senders to re-fetch your policy.
  3. Optionally extend max_age for longer caching (e.g., 30 days).

Quick reference

Component Purpose Example (mxtoolbox.com)
DNS TXT (MTA-STS) Announces support; signals policy updates via id "v=STSv1; id=20250820080000Z;" at _mta-sts.mxtoolbox.com
HTTPS policy file Defines version, mode, allowed mx, and max_age https://mta-sts.mxtoolbox.com/.well-known/mta-sts.txt
DNS TXT (TLS-RPT) Enables JSON reports for TLS/MTA-STS results "v=TLSRPTv1; rua=mailto:tlsrpt@mxtoolbox.com" at _smtp._tls.mxtoolbox.com
Testing Validate DNS & policy before enforcement MXToolbox MTA-STS Lookup
burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com