FREE TOOL
Validate Mail Transfer Agent Strict Transport Security configuration. Ensure TLS encryption is properly enforced for email delivery.
DNS Record
Verifies MTA-STS TXT record at _mta-sts.domain
Policy File
Checks HTTPS-hosted policy at mta-sts.domain
MX Validation
Ensures policy matches mail server configuration
MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that enforces Transport Layer Security (TLS) for email exchanges between mail servers, preventing downgrade attacks and man-in-the-middle interception.
DNS announcement
TXT record at _mta-sts.domain signals MTA-STS support with a policy ID.
Policy retrieval
Sending servers fetch the policy via HTTPS from mta-sts.domain.
TLS enforcement
Policy defines which MX servers accept mail and enforces encrypted connections.
Testing mode
Monitor TLS usage without blocking mail. Use for initial deployment.
Enforce mode
Require TLS for all connections. Mail fails if encryption unavailable.
None mode
Disable MTA-STS while keeping DNS record. Used for maintenance.
Create subdomain mta-sts.yourdomain.com with HTTPS certificate
Host policy file at /.well-known/mta-sts.txt
Start with mode: testing to monitor without blocking
Add DNS TXT record at _mta-sts.yourdomain.com
Implement TLS-RPT for failure reporting
Monitor for 2-4 weeks before enforcing
Switch to mode: enforce when confident
InboxKit automates MTA-STS deployment and monitoring, ensuring encrypted email delivery
