MTA-STS Policy Generator
Generate both the MTA-STS policy file and DNS TXT record required to enforce TLS encryption on inbound email.
MTA-STS requires three things:
- The policy file hosted at
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt - A DNS TXT record at
_mta-sts.yourdomain.com - A valid TLS certificate on all mail servers listed in the policy
Your root domain (used to show the correct URLs in the instructions).
Add the hostname of each mail server that receives email for your domain. These must match your MX records exactly and have valid TLS certificates. Use *. prefix for wildcard matching (e.g. *.mail.protection.outlook.com).
version: STSv1 mode: testing max_age: 86400
Hosting Instructions
- • Host this file at:
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt - • The file must be served over HTTPS with a valid certificate
- • Content-Type should be
text/plain - • Update the policy ID in the DNS record each time you change this file
Frequently Asked Questions
What is MTA-STS and why do I need it?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that tells sending mail servers to use TLS encryption when delivering email to your domain and to reject delivery if a secure connection cannot be established. Without MTA-STS, email can be delivered over unencrypted connections or be subject to downgrade attacks. MTA-STS complements DMARC by securing the transport layer, not just authentication.
What does MTA-STS mode testing vs enforce mean?
In testing mode, MTA-STS is evaluated but not enforced — sending servers are informed about the policy but will still deliver mail even if TLS requirements cannot be met. This lets you check for issues without affecting delivery. In enforce mode, sending servers must deliver over a valid TLS connection matching the policy or reject the delivery entirely. Start with testing mode and only switch to enforce after confirming no legitimate mail is affected.
What needs to be set up for MTA-STS to work?
MTA-STS requires three things: (1) A policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid TLS certificate. (2) A DNS TXT record at _mta-sts.yourdomain.com containing the policy version ID. (3) Valid TLS certificates on all mail servers listed in the policy. All three must be in place before switching to enforce mode.
What is the MTA-STS policy ID and why does it need to change?
The policy ID (id=) in the DNS TXT record is a version identifier that tells sending mail servers when the policy has changed. Sending servers cache the policy for max_age seconds and use the ID to detect updates. When you update the policy file, you must also update the policy ID in the DNS record — otherwise servers will continue using the cached version. Use a timestamp format like YYYYMMDDHHmmss to ensure uniqueness.
Do I need MTA-STS if I already have DMARC?
DMARC and MTA-STS protect against different threats. DMARC prevents domain spoofing by verifying that email claiming to be from your domain was actually sent by an authorised server. MTA-STS protects the transport channel — ensuring email is encrypted in transit and cannot be intercepted or downgraded to an unencrypted connection. Both should be implemented for comprehensive email security.