What Is MTA-STS? How to Set Up MTA-STS (with TLS-RPT)

MTA-STS (Mail Transfer Agent Strict Transport Security) allows domains to require TLS encryption and valid certificates for SMTP delivery, reducing downgrade/MITM risk and limiting delivery to trusted MX hosts.

Test your MTA-STS now →

Why Implement MTA-STS?

1. Enforce TLS: Prevent opportunistic fallbacks by requiring STARTTLS and certificate validation during SMTP handshakes.

2. Pin Allowed MX: Only the MX hosts listed in your policy are considered valid for delivery to your domain.

3. Safer Rollout: Use mode: testing first, monitor reports, then advance to mode: enforce.

MTA-STS Components

  • DNS TXT record: Publish at _mta-sts.<domain> with v=STSv1 and a unique id=… to signal policy updates.
  • HTTPS policy file: Serve at https://mta-sts.<domain>/.well-known/mta-sts.txt with version, mode, one or more mx lines, and max_age.
  • TLS-RPT (recommended): Publish a DNS TXT record at _smtp._tls.<domain> to receive JSON reports about TLS/STS connection results.

How to Set Up MTA-STS

Step 1 — Host the Policy File Over HTTPS

Create a small text file at https://mta-sts.<your-domain>/.well-known/mta-sts.txt:

Example: mxtoolbox.com policy file
version: STSv1
mode: testing
mx: mx1.mxtoolbox.com
mx: mx2.mxtoolbox.com
max_age: 604800

Tips: Start with mode: testing. List each authorized MX with its own mx: line. Use a conservative max_age (e.g., 7 days) during rollout.

Step 2 — Announce MTA-STS via DNS TXT

Publish a TXT record at _mta-sts.<your-domain>:

Example: mxtoolbox.com MTA-STS TXT
_mta-sts.mxtoolbox.com.  IN  TXT  "v=STSv1; id=20250820080000Z;"

Increment id (often a timestamp) whenever the policy file changes to force senders to re-fetch it.

Step 3 — (Recommended) Enable TLS-RPT Reporting

Publish a TLS reporting TXT record at _smtp._tls.<your-domain> to receive JSON reports that summarize TLS/MTA-STS connection successes and failures:

Example: mxtoolbox.com TLS-RPT TXT
_smtp._tls.mxtoolbox.com.  IN  TXT  "v=TLSRPTv1; rua=mailto:tlsrpt@mxtoolbox.com"

You can specify multiple reporting URIs (mailto and/or HTTPS) separated by commas in rua=.

See a sample TLS-RPT JSON report

Typical structure for a daily report covering attempts to deliver to mxtoolbox.com:

{
  "organization-name": "Example Mail Provider",
  "date-range": {
    "start-datetime": "2025-08-19T00:00:00Z",
    "end-datetime": "2025-08-19T23:59:59Z"
  },
  "contact-info": "tlsrpt@example.com",
  "report-id": "20250819-1",
  "policies": [
    {
      "policy": {
        "policy-type": "sts",
        "policy-string": "version: STSv1; mode: enforce; mx: mx1.mxtoolbox.com; mx: mx2.mxtoolbox.com; max_age: 604800",
        "policy-domain": "mxtoolbox.com"
      },
      "summary": {
        "total-successful-session-count": 1530,
        "total-failure-session-count": 12
      },
      "failure-details": [
        {
          "result-type": "certificate-expired",
          "sending-mta-ip": "203.0.113.45",
          "failed-session-count": 5,
          "additional-information": "Remote certificate expired on 2025-08-15"
        },
        {
          "result-type": "starttls-not-supported",
          "sending-mta-ip": "198.51.100.25",
          "failed-session-count": 7,
          "additional-information": "STARTTLS not offered by target MX"
        }
      ]
    }
  ]
}

Use these reports to spot certificate problems, missing STARTTLS, or MX mismatches—especially while in mode: testing.

Step 4 — Test Your Configuration

Verify the DNS TXT record and the HTTPS policy file are reachable and valid:

Run MTA-STS Lookup and Policy Test →

Step 5 — Enforce

  1. Update the policy file to mode: enforce once reports look healthy.
  2. Increment the DNS TXT id to notify senders to re-fetch your policy.
  3. Optionally extend max_age for longer caching (e.g., 30 days).

Quick Reference Guide

Component Purpose Example (mxtoolbox.com)
DNS TXT (MTA-STS) Announces support; signals policy updates via id "v=STSv1; id=20250820080000Z;" at _mta-sts.mxtoolbox.com
HTTPS Policy File Defines version, mode, allowed mx, and max_age https://mta-sts.mxtoolbox.com/.well-known/mta-sts.txt
DNS TXT (TLS-RPT) Enables JSON reports for TLS/MTA-STS results "v=TLSRPTv1; rua=mailto:tlsrpt@mxtoolbox.com" at _smtp._tls.mxtoolbox.com
Testing Validate DNS and policy before enforcement Free MxToolbox MTA-STS Lookup
burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com