MTA-STS Record Generator

Q: How do I host the MTA-STS policy file?

The policy file must be served at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over HTTPS with a valid TLS certificate. You can host it on any web server, a CDN, or a static hosting service. The file is plain text and contains your policy mode, authorised MX hostnames, and a max age value.

Generate MTA-STS DNS record and policy file to enforce TLS on inbound email

Configure MTA-STS Policy

Domain *

Policy Mode *

MX Hostnames

Add the mail server hostnames that should be allowed. Use * as a wildcard prefix.

Max Age (seconds)

1. DNS TXT Record

Record Name

_mta-sts.

TXT Value

2. Policy File

Host at

https://mta-sts./.well-known/mta-sts.txt

File Content

What is MTA-STS?

MTA-STS (RFC 8461) prevents TLS downgrade attacks on inbound email by telling sending servers they must use TLS when delivering mail to your domain.

Prevents man-in-the-middle attacks
Ensures encrypted email transport
Supported by Google, Microsoft, Yahoo
Requires HTTPS hosting for policy file

Want automated management?

DMARC Busta's Autopilot manages SPF, DKIM, and DMARC automatically with AI-powered decisions.

Get Started Free

What is MTA-STS?

Enforce TLS encryption for inbound email and prevent downgrade attacks

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security protocol defined in RFC 8461 that forces TLS encryption for email in transit. Without MTA-STS, email servers use opportunistic TLS via STARTTLS — meaning encryption is attempted but not required. An attacker performing a man-in-the-middle attack can strip the STARTTLS command and force email to be delivered in plain text.

MTA-STS solves this by publishing a policy that tells sending mail servers they must use TLS when delivering email to your domain. If a secure connection cannot be established, the sending server will refuse to deliver the message rather than falling back to unencrypted delivery.

MTA-STS works alongside other email authentication protocols to provide comprehensive protection. While DMARC prevents domain spoofing and SPF authorises legitimate senders, MTA-STS ensures that the email content itself remains encrypted and tamper-proof during delivery.

Example Policy File


                                version: STSv1

                                mode: enforce

                                mx: mail.example.com

                                mx: *.example.com

                                max_age: 604800

How MTA-STS Works

Sender queries DNS for _mta-sts TXT record

Fetches policy file over HTTPS

Validates MX hostnames and TLS certificate

Delivers email only over encrypted TLS

MTA-STS Components

The two parts you need to deploy MTA-STS on your domain

DNS TXT Record

A TXT record at _mta-sts.yourdomain.com signals to sending servers that your domain supports MTA-STS. The record contains a version identifier and a unique policy ID that changes whenever you update your policy, prompting senders to fetch the latest version.

Policy File

A plain text file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This file must be served over HTTPS with a valid TLS certificate. It specifies which MX hostnames are authorised and how long sending servers should cache the policy.

Policy Modes

MTA-STS supports three modes: testing (report failures but still deliver), enforce (reject delivery if TLS cannot be established), and none (disable the policy). Always start with testing mode.

MX Hostnames

The policy file lists the MX hostnames that sending servers should expect when connecting. These must match your actual MX records. Wildcard prefixes (e.g., *.example.com) are supported for flexibility.

Common MTA-STS Issues

Troubleshoot the most frequent deployment problems

Policy File Not Accessible

Fix: The file must be served at exactly https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over HTTPS. Ensure you have a DNS A or CNAME record for the mta-sts subdomain and that your web server is configured to serve the file with the correct content type.

Certificate Issues

Fix: Both the policy hosting server and your MX servers must have valid TLS certificates. Self-signed or expired certificates will cause MTA-STS validation failures. Sending servers will refuse to deliver email if they cannot establish a trusted TLS connection when your policy is set to enforce mode.

Wrong Policy Mode

Fix: Jumping straight to enforce mode without testing can cause email delivery failures. Always deploy with testing mode first and monitor TLS reports (via SMTP TLS Reporting) for at least two weeks. Only switch to enforce once you are confident that all legitimate sending servers can connect via TLS.

Missing DNS Record

Fix: MTA-STS requires both the DNS TXT record at _mta-sts.yourdomain.com and the HTTPS-hosted policy file. Having one without the other means MTA-STS will not function. Sending servers check the DNS record first, then fetch the policy file for the details.

Automate this: DMARC Busta manages your email authentication stack across all your domains, including MTA-STS configuration, monitoring, and troubleshooting.

Frequently Asked Questions

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a protocol that forces TLS encryption for email delivery to your domain. It prevents man-in-the-middle attacks where an attacker could strip the TLS encryption from email in transit, ensuring that messages are always delivered over a secure, encrypted connection.

Do I need MTA-STS?

MTA-STS is recommended for any organisation that wants to ensure email is encrypted in transit. It is particularly important for businesses handling sensitive information, as it prevents downgrade attacks that could expose email content. Major email providers like Google and Microsoft both support and recommend MTA-STS.

What is the difference between MTA-STS and STARTTLS?

STARTTLS is opportunistic encryption — it attempts to upgrade a connection to TLS but can be stripped by an attacker without the sender or receiver knowing. MTA-STS enforces TLS strictly by publishing a policy that tells sending servers they must use TLS. If TLS cannot be established, the email is not delivered rather than being sent in plain text.

How do I host the MTA-STS policy file?

The policy file must be served at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over HTTPS with a valid TLS certificate. You can host it on any web server, a CDN, or a static hosting service like GitHub Pages or Cloudflare Pages. The file is plain text and contains your policy mode, authorised MX hostnames, and a max age value.

Related Tools

More free tools to secure your email authentication

Secure Your Email in Transit

DMARC Busta helps you manage email authentication across all your domains, including DMARC, SPF, DKIM, and MTA-STS configuration.

Get Started Free

MTA-STS Record Generator

Configure MTA-STS Policy

1. DNS TXT Record

2. Policy File

What is MTA-STS?

Want automated management?

What is MTA-STS?

How MTA-STS Works

MTA-STS Components

DNS TXT Record

Policy File

Policy Modes

MX Hostnames

Common MTA-STS Issues

Policy File Not Accessible

Certificate Issues

Wrong Policy Mode

Missing DNS Record

Frequently Asked Questions

Related Tools

DMARC Generator

BIMI Generator

Domain Health

DMARC Checker

Secure Your Email in Transit