MTA-STS checker

MTA-STS lets a domain require that other mail servers use TLS when delivering to it, closing the downgrade gap in opportunistic SMTP encryption. Enter a domain to check its MTA-STS policy and its TLS-RPT reporting record.

Runs the full report, including this check.

What MTA-STS provides

Why it matters

Standard SMTP TLS is opportunistic and can be stripped by an attacker on the path. MTA-STS in enforce mode instructs compliant senders to refuse delivery if a valid TLS connection cannot be established, protecting mail in transit.

Frequently asked questions

What is the difference between testing and enforce mode?
In testing mode, senders report TLS problems via TLS-RPT but still deliver over cleartext if needed. In enforce mode, a sender that cannot establish valid TLS defers or rejects the message. Start in testing, watch the reports, then enforce.
Do I need MTA-STS if I already have DANE?
They solve the same downgrade problem differently. DANE uses DNSSEC-signed TLSA records; MTA-STS uses HTTPS-fetched policy. MTA-STS is easier to deploy without DNSSEC. Large senders support both.