What This Tool Validates
The MTA-STS syntax checker performs comprehensive validation of both MTA-STS components:
DNS TXT Record Validation
The _mta-sts.yourdomain.com TXT record is validated for:
| Field | Requirement |
|---|---|
| v | Must be STSv1 (case-sensitive) |
| id | Required, alphanumeric, 1-32 characters |
| Format | Semicolon-separated key=value pairs |
Valid example:
v=STSv1; id=20240115120000
Invalid examples:
v=sts1; id=123 (wrong version)
v=STSv1 (missing id)
v=STSv1; id=my policy id (id has spaces)
Policy File Validation
The mta-sts.txt file is validated for:
| Field | Requirement |
|---|---|
| version | Must be STSv1 (case-sensitive) |
| mode | Must be testing, enforce, or none |
| mx | At least one valid MX pattern required |
| max_age | Required, 0-31557600 seconds |
Valid example:
version: STSv1
mode: enforce
mx: mail.example.com
mx: *.backup.example.com
max_age: 604800
Common Validation Errors
DNS Record Errors
| Error | Cause | Fix |
|---|---|---|
| Missing version | No v=STSv1 | Add v=STSv1; at the start |
| Invalid version | Typo or wrong case | Use exactly STSv1 |
| Missing id | No id field | Add id= with unique value |
| Invalid id | Spaces or special chars | Use only alphanumeric characters |
Policy File Errors
| Error | Cause | Fix |
|---|---|---|
| Missing version | No version: line | Add version: STSv1 |
| Invalid mode | Typo or wrong value | Use testing, enforce, or none |
| No MX patterns | Missing mx: lines | Add at least one mx: hostname |
| Invalid max_age | Out of range or not numeric | Use 0-31557600 |
| Invalid MX pattern | Malformed wildcard | Use *.subdomain.example.com format |
MX Pattern Rules
MTA-STS supports two types of MX patterns:
Exact Hostname
mx: mail.example.com
mx: smtp.example.com
Matches only the exact hostname specified.
Wildcard Pattern
mx: *.mail.example.com
- Wildcard (
*) must be the leftmost label - Matches any single label (e.g.,
server1.mail.example.com) - Does NOT match multiple labels (e.g.,
a.b.mail.example.com)
Invalid Patterns
mx: * (bare wildcard)
mx: mail.*.example.com (wildcard not leftmost)
mx: **.example.com (double wildcard)
mx: mail.example.* (wildcard on TLD)
Validation vs. Live Check
| Feature | Syntax Checker | Record Checker |
|---|---|---|
| DNS lookup | No | Yes |
| Policy fetch | No | Yes |
| TLS verification | No | Yes |
| Offline validation | Yes | No |
| Pre-deployment check | Yes | No |
| Real-time status | No | Yes |
Use the syntax checker before deploying to catch errors early.
Use the record checker after deployment to verify live configuration.
FAQ - Frequently asked questions
Q: What does the MTA-STS syntax checker validate?
A: The syntax checker validates both the DNS TXT record (version and id fields) and the policy file content (version, mode, mx patterns, and max_age). It checks for required fields, valid values, and proper formatting according to RFC 8461.
Q: Why validate MTA-STS syntax offline?
A: Validating syntax offline lets you catch errors before deployment. This prevents misconfigurations that could cause email delivery failures or leave your domain unprotected.
Q: What are common MTA-STS syntax errors?
A: Common errors include: missing required fields (version, mode, mx, max_age), invalid mode values (must be testing, enforce, or none), max_age out of range, malformed MX patterns, and incorrect TXT record format.
Q: What MX pattern formats are valid?
A: MX patterns can be exact hostnames (mail.example.com) or wildcards (.mail.example.com). Wildcards only match at the leftmost label. Invalid patterns include bare wildcards () or wildcards in the middle.
Q: What max_age values are recommended?
A: RFC 8461 recommends at least 86400 (1 day). Common values: 86400 for testing, 604800 (1 week) for production, 31557600 (1 year) for stable configurations. Maximum is 31557600 seconds.
Q: How do I fix 'invalid version' errors?
A: The version must be exactly 'STSv1' (case-sensitive) for both the DNS record and policy file. Check for typos, extra spaces, or incorrect casing.
Q: How do I validate MTA-STS syntax for Microsoft 365 / Office 365?
A: Paste your MTA-STS DNS TXT record and policy file content into our validator. For Microsoft 365, ensure your MX patterns match Microsoft's mail servers (e.g., *.mail.protection.outlook.com). The validator checks RFC 8461 compliance before you publish to DNS.
Q: How do I check MTA-STS syntax for Google Workspace?
A: Use our offline validator to check your MTA-STS configuration for Google Workspace. Enter your DNS TXT record and policy content—ensure MX patterns include Google's servers (e.g., *.google.com, aspmx.l.google.com). Validate syntax before deploying to catch errors early.
Complementary tools
| Tool | Description |
|---|---|
| MTA-STS Generator | Generate MTA-STS records and policy files |
| MTA-STS Record Checker | Validate live MTA-STS configuration |
| DNS Propagation Checker | Check DNS record propagation |