Skip to main content

New

Test your email deliverability

Send a test email and get a complete diagnosis of your SPF, DKIM and DMARC authentication in seconds.

  • Real send test
  • Instant diagnosis
  • No signup required
Run the test

Free MTA-STS Generator

Create MTA-STS DNS record & policy file for any domain

Generate MTA-STS DNS TXT records and policy files for free. Our MTA-STS generator creates RFC 8461-compliant configurations for Google Workspace, Office 365, or self-hosted mail servers—with copy-ready output and step-by-step deployment guidance.

The domain for which to generate MTA-STS configuration.

Start with 'testing' to monitor before enforcing.

Enter your mail server hostnames, one per line. Use *.domain.com for wildcards.

How long receiving servers should cache your policy.

Simple configuration

Enter your domain, select a mode, and add your MX servers. We handle the formatting and syntax for RFC 8461 compliance.

Flexible modes

Start with testing to monitor without enforcement, then switch to enforce for production. Disable with none if needed.

Wildcard MX support

Use exact hostnames or wildcards (*.mail.example.com) to match multiple MX servers with a single pattern.

Copy-ready output

One-click copy for both DNS record and policy file. Ready to paste into your DNS provider and web server.

Step-by-step guide

Clear deployment instructions included. Know exactly where to add the DNS record and host the policy file.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in RFC 8461. It allows domain owners to declare that their mail servers support TLS encryption and that sending servers should refuse to deliver mail if a secure connection cannot be established.

Why MTA-STS matters:

  • Prevents downgrade attacks - Attackers can't force email to be sent unencrypted
  • Stops man-in-the-middle attacks - Encrypted connections protect email content in transit
  • Builds trust - Shows your domain follows email security best practices
  • Required by some providers - Major email providers like Google recommend MTA-STS

MTA-STS Components

MTA-STS requires two components:

1. DNS TXT Record

A TXT record at _mta-sts.yourdomain.com that signals MTA-STS support:

_mta-sts.example.com.  IN  TXT  "v=STSv1; id=20240115120000"
  • v=STSv1 - Protocol version (always STSv1)
  • id - Unique policy identifier (change it when you update the policy)

2. Policy File

A text file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:

version: STSv1
mode: enforce
mx: mail.example.com
mx: *.backup-mail.example.com
max_age: 604800
  • version - Always STSv1
  • mode - testing, enforce, or none
  • mx - Mail server patterns (one per line)
  • max_age - Cache duration in seconds

Deployment Checklist

Follow these steps to deploy MTA-STS:

Step 1: Set up the policy host

  1. Create a subdomain: mta-sts.yourdomain.com
  2. Obtain an HTTPS certificate (Let's Encrypt works)
  3. Configure your web server to serve the policy file

Step 2: Create and host the policy file

  1. Use the generator above to create your policy
  2. Save it as mta-sts.txt
  3. Host at /.well-known/mta-sts.txt
  4. Verify: curl https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Step 3: Add the DNS TXT record

  1. Generate the DNS record using the tool above
  2. Add it to your DNS as a TXT record at _mta-sts
  3. Verify: dig TXT _mta-sts.yourdomain.com

Step 4: Test and monitor

  1. Use our MTA-STS Record Checker to validate
  2. Start in testing mode to identify issues
  3. Monitor TLS-RPT reports for failures
  4. Switch to enforce mode once validated

Common Configurations

Google Workspace

version: STSv1
mode: enforce
mx: aspmx.l.google.com
mx: *.googlemail.com
max_age: 604800

Microsoft 365

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800

Self-hosted mail server

version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: backup.yourdomain.com
max_age: 604800

FAQ - Frequently asked questions

Q: What is MTA-STS and why do I need it?

A: MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard defined in RFC 8461 that allows email domain owners to declare that their mail servers support TLS encryption. It prevents man-in-the-middle attacks and downgrade attacks on email delivery by telling sending servers to require TLS when connecting to your MX servers.

Q: What's the difference between testing and enforce modes?

A: In "testing" mode, sending servers will report failures via TLS-RPT but still deliver email even if TLS fails. In "enforce" mode, sending servers must use TLS or reject delivery. Start with testing to identify issues, then switch to enforce once you've verified your MX servers support TLS properly.

Q: How do I deploy the MTA-STS policy file?

A: Host the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. You need a valid HTTPS certificate for mta-sts.yourdomain.com. The file must be served with Content-Type: text/plain and be accessible without redirects.

Q: What max_age value should I use?

A: The max_age directive specifies how long (in seconds) senders should cache your policy. Common values: 86400 (1 day) for testing, 604800 (1 week) for production, or 31557600 (1 year) for stable configurations.

Q: Can I use wildcards in MX patterns?

A: Yes, MTA-STS supports wildcard patterns using an asterisk (*) as the leftmost label. For example, *.mail.example.com matches any subdomain of mail.example.com.

Q: Do I need a TLS-RPT record too?

A: While not required, a TLS-RPT (SMTP TLS Reporting) record is highly recommended alongside MTA-STS. It allows sending servers to report TLS connection failures, helping you identify and fix issues.

Complementary tools

ToolDescription
MTA-STS Record CheckerValidate your MTA-STS configuration
MTA-STS Syntax CheckerValidate MTA-STS syntax offline
DMARC GeneratorCreate DMARC records

Useful resources