Free MTA-STS Checker — Verify Email Transport Security Policy

Check if your domain publishes a valid MTA-STS record. MTA-STS forces receiving mail servers to use TLS when delivering to your domain, preventing downgrade attacks and eavesdropping.

Enter Domain to Check MTA-STS

Why MTA-STS Matters for Email Security

Without MTA-STS

  • Emails delivered over unencrypted SMTP are vulnerable to eavesdropping
  • Attackers can strip TLS via man-in-the-middle downgrade attacks
  • No signal to sending servers that your domain requires secure transport
  • Compliance frameworks (HIPAA, GDPR) increasingly require TLS enforcement

With MTA-STS

  • Sending servers verify TLS before delivering mail to your domain
  • Downgrade attacks fail — delivery is rejected if TLS is unavailable
  • Policy modes — none, testing, enforce — allow gradual rollout
  • Pair with TLS-RPT to receive reports when TLS delivery failures occur

What This MTA-STS Checker Returns

We query the _mta-sts DNS TXT record and return its full content and validation status.

MTA-STS record found or missing status
Full raw TXT record starting with v=STSv1
Validation result — valid, invalid, or multiple records
Live DNS lookup — no cached or stale results

Common MTA-STS Use Cases

MTA-STS is especially important for domains handling sensitive or regulated email.

Initial Setup Verification

Initial setup verification — confirm MTA-STS record is live after DNS publishing

Policy Mode Audit

Policy mode audit — verify enforce vs. testing mode after policy rollout

Post-Migration Check

Post-migration check — confirm MTA-STS record survived domain or DNS provider changes

Compliance Validation

Compliance audit — validate TLS enforcement for HIPAA, GDPR, or ISO 27001 requirements

Security Review

Security review — include MTA-STS in full email infrastructure security assessment

Delivery Troubleshooting

Troubleshooting — diagnose incoming mail failures that may relate to TLS policy misconfiguration

Secure transport is step one. Clean email lists keep your deliverability high.
Try EmailVerify.io Free

How to Read MTA-STS Results

Understanding the result helps you correctly configure and troubleshoot TLS enforcement for your domain.

Check the Record Status

Valid means the MTA-STS DNS TXT record was found and starts with v=STSv1. Not Found means TLS enforcement is not signaled to sending servers. Invalid means the record is malformed or duplicated.

Review the Raw Record

The raw TXT record shows the full MTA-STS entry including version and optional fields. Confirm it matches what your DNS provider shows.

Check the Policy File

MTA-STS also requires a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The DNS record and the policy file must both be present and consistent.

Verify the Mode

Start in testing mode (mode: testing) to receive TLS-RPT reports without blocking mail. Switch to enforce mode only after confirming all senders can deliver over TLS successfully.

Who Uses MTA-STS Checker

MTA-STS verification is used by email administrators, security teams, and compliance officers.

Email Administrators

Email administrators verifying TLS enforcement policy is active and correct

Security Engineers

Security engineers auditing email transport security for compliance reviews

IT Managers

IT managers checking MTA-STS as part of a broader email infrastructure assessment

Deliverability Consultants

Deliverability consultants verifying domain security configuration for clients

Compliance Officers

Compliance officers validating TLS-in-transit requirements for regulated industries

FAQs

Frequently Asked Questions

Question Icon

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard (RFC 8461) that signals to sending mail servers that your domain requires TLS for email delivery. It prevents downgrade attacks that strip TLS from SMTP connections.

Question Icon

What DNS record does MTA-STS use?

MTA-STS requires a TXT record at _mta-sts.yourdomain.com starting with v=STSv1. It also requires a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Question Icon

What are the MTA-STS policy modes?

There are three modes: none (reporting only, no enforcement), testing (report failures but still deliver), and enforce (reject delivery if TLS cannot be established). Start with testing to monitor before switching to enforce.

Question Icon

Does MTA-STS replace STARTTLS?

No. STARTTLS upgrades connections to TLS opportunistically but can be stripped by attackers. MTA-STS adds strict enforcement and certificate validation on top of STARTTLS, preventing downgrade attacks.

Question Icon

What is TLS-RPT and how does it relate to MTA-STS?

TLS-RPT (TLS Reporting, RFC 8460) sends aggregate reports about TLS delivery failures to a specified email or HTTPS endpoint. Pair it with MTA-STS to receive notifications when TLS delivery to your domain fails.

Question Icon

Will MTA-STS block legitimate email?

In enforce mode, yes — if a sending server cannot establish a valid TLS connection, it will refuse to deliver. Use testing mode first to identify any senders that have TLS issues before switching to enforce.

Question Icon

How does this checker verify MTA-STS?

The tool queries the _mta-sts DNS TXT record in real time and returns the raw record content and validation status. Note: this tool checks the DNS record only, not the policy file hosted at mta-sts.yourdomain.com.

Question Icon

Does this tool store the domains I check?

No. All DNS lookups are performed in real time without retaining any domain data after the query completes.