How do I check MTA-STS for Microsoft 365 / Office 365?

Enter your domain in our MTA-STS checker. Microsoft 365 domains using custom domains need MTA-STS configured separately—Microsoft doesn't automatically set this up. You'll need to create the DNS TXT record and host the policy file yourself, or use a third-party service. Our checker will show if MTA-STS is missing or misconfigured.

How do I verify MTA-STS for Google Workspace?

Use our MTA-STS lookup tool with your Google Workspace domain. Google Workspace supports MTA-STS but you must configure it yourself for custom domains. The checker validates your _mta-sts DNS record, fetches the policy from mta-sts.yourdomain.com, and verifies MX patterns match Google's mail servers (e.g., *.google.com or aspmx.l.google.com).

Free MTA-STS Checker - Lookup & Validate Records Online

What This Tool Checks

The MTA-STS record checker performs a comprehensive validation of your domain's MTA-STS implementation:

1. DNS TXT Record Check

Queries _mta-sts.yourdomain.com and validates:

Record exists
Version is STSv1
ID field is present and valid
No syntax errors

2. Policy File Fetch

Fetches https://mta-sts.yourdomain.com/.well-known/mta-sts.txt and checks:

HTTPS is required (no HTTP)
No redirects (direct access only)
Valid Content-Type header
File is accessible

3. Policy Content Validation

Parses the policy file and validates:

Version is STSv1
Mode is testing, enforce, or none
At least one MX pattern defined
max_age is within valid range

4. TLS Certificate Verification

Checks the HTTPS certificate for mta-sts.yourdomain.com:

Certificate is valid and not expired
Hostname matches
Certificate chain is complete
TLS version is adequate

5. MX Pattern Cross-Validation

Compares your domain's MX records against policy patterns:

All MX hosts should match at least one pattern
Warns about uncovered MX servers
Detects wildcards that may be too broad

Understanding the Results

Status Indicators

Status	Meaning
Pass	Configuration is correct
Warning	Works but could be improved
Error	Configuration problem that needs fixing
Not Found	Record or policy doesn't exist

Common Issues and Fixes

Issue	Cause	Fix
No DNS record	_mta-sts TXT not published	Add the TXT record to DNS
Policy fetch failed	mta-sts subdomain not set up	Create subdomain with HTTPS
TLS error	Certificate issue	Fix/renew the SSL certificate
MX not covered	Missing MX pattern	Add the MX host to policy
Mode is none	MTA-STS disabled	Change mode to testing or enforce

MTA-STS Deployment Status

Fully Configured

DNS record exists with valid format
Policy file accessible over HTTPS
TLS certificate valid
All MX servers covered by patterns
Mode is enforce

Partially Configured

DNS record exists but policy issues
TLS warnings (e.g., soon-to-expire cert)
Some MX servers not covered
Mode is testing

Not Configured

No DNS record found
Policy file not accessible
Mode is none

Best Practices

Before Going to Enforce Mode

Test thoroughly - Run in testing mode for at least 1 week
Check MX coverage - All MX servers must match policy patterns
Monitor TLS-RPT - Set up TLS reporting to catch issues
Verify certificates - Ensure mta-sts subdomain cert is valid
Test from multiple sources - Check from different networks

Maintaining MTA-STS

Update policy ID when changing the policy file
Monitor certificate expiry for mta-sts subdomain
Update MX patterns when adding/removing mail servers
Review TLS-RPT reports regularly
Re-check after DNS changes

Comparison: MTA-STS vs DANE

Feature	MTA-STS	DANE
DNS Security	No DNSSEC required	Requires DNSSEC
Setup Complexity	Moderate (DNS + HTTPS)	Complex (DNSSEC + TLSA)
Certificate Pinning	No (trust model based)	Yes (TLSA records)
Adoption	Growing	Limited
Reporting	TLS-RPT	None standard

MTA-STS is easier to deploy and doesn't require DNSSEC, making it more accessible for most organizations.

FAQ - Frequently asked questions

Q: What does the MTA-STS record checker validate?

A: The checker performs a complete validation: DNS TXT record at _mta-sts.domain.com, HTTPS policy file at mta-sts.domain.com/.well-known/mta-sts.txt, TLS certificate validity, and cross-validation of MX records against policy patterns.

Q: Why is my MTA-STS policy not being fetched?

A: Common causes: the mta-sts subdomain doesn't exist, HTTPS is not configured, the certificate is invalid, the policy file path is wrong, or the server returns redirects (not allowed).

Q: What does 'MX not covered by policy' mean?

A: This warning means one or more of your domain's MX records don't match any pattern in your MTA-STS policy. Add the missing MX patterns to your policy file to ensure all mail servers are covered.

Q: Why does the checker show TLS errors?

A: MTA-STS requires the policy file to be served over HTTPS with a valid certificate. TLS errors can mean: expired certificate, self-signed certificate, hostname mismatch, or outdated TLS version.

Q: What's the difference between testing and enforce mode?

A: In "testing" mode, sending servers report TLS failures but still deliver email. In "enforce" mode, delivery is rejected if TLS fails. Use testing first to identify issues.

Q: How often should I check my MTA-STS configuration?

A: Check after any changes to DNS, MX records, or mail server configuration. Also verify after certificate renewals. Regular monthly checks help catch issues early.

Complementary tools

Tool	Description
MTA-STS Generator	Generate MTA-STS records and policy files
MTA-STS Syntax Checker	Validate MTA-STS syntax offline
MX Record Lookup	Check domain MX records

Free MTA-STS Checker

Lookup and validate MTA-STS policy, DNS record & TLS certificate instantly

DNS record lookup

HTTPS policy fetch

TLS certificate check

MX pattern validation

Detailed diagnostics