MTA-STS + TLS-RPT Checker
Verify your MTA-STS policy and TLS-RPT reporting configuration to prevent email downgrade attacks.
What is MTA-STS?
MTA Strict Transport Security (MTA-STS) allows domain owners to declare that email sent to them must use TLS encryption. Without it, attackers can perform downgrade attacks to intercept email in transit.
What is TLS-RPT?
TLS Reporting (TLS-RPT) lets mail servers send you reports when they fail to establish a TLS connection to your domain, giving you visibility into delivery issues.
Frequently Asked Questions
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that requires sending mail servers to use encrypted TLS connections when delivering email to your domain. Without MTA-STS, email in transit between servers can be intercepted or downgraded to an unencrypted connection through a man-in-the-middle attack. MTA-STS works alongside DMARC, SPF, and DKIM to protect both sending and receiving of email.
What does this MTA-STS checker verify?
This tool checks: the presence and correct syntax of the _mta-sts DNS TXT record; whether your policy file at https://mta-sts.[yourdomain]/.well-known/mta-sts.txt is reachable and correctly formatted; whether the MX hosts listed in your policy match your actual MX records; and whether TLS-RPT reporting is configured at _smtp._tls.[yourdomain] so you receive alerts about TLS delivery failures.
What is TLS-RPT and do I need it?
TLS-RPT (TLS Reporting) is a complementary standard that sends you daily reports about TLS encryption failures when other mail servers try to deliver to your domain. It helps you detect misconfigurations and potential attacks. While not strictly required, it is best practice to configure TLS-RPT alongside MTA-STS — the reporting URI is added as a simple DNS TXT record at _smtp._tls.[yourdomain].
What are the MTA-STS policy modes?
MTA-STS has two policy modes: testing mode sends TLS-RPT failure reports but does not enforce TLS — mail still delivers even if TLS negotiation fails. Enforce mode requires TLS for all inbound delivery — mail is rejected if a TLS connection cannot be established. Move to enforce mode once you have confirmed your MX hosts support TLS and reviewed TLS-RPT reports for any issues.
Is MTA-STS required for DMARC compliance?
MTA-STS is separate from DMARC compliance. DMARC, SPF, and DKIM protect against domain spoofing in the From: header of outgoing email. MTA-STS protects the transit layer — preventing interception during delivery to your inbox. Both are recommended as part of a complete email security posture. Our Email Security Score includes MTA-STS as one of its five weighted checks.