EmailPosture
ToolsResourcesPricingSign in

What Is MTA-STS?

A plain-English explainer. Email Posture.

MTA-STS (Mail Transfer Agent Strict Transport Security) tells other mail servers that they must use an encrypted, properly authenticated TLS connection when delivering email to you, and refuse to deliver if they can't. It closes a real gap: by default, email delivery falls back to an unencrypted connection if encryption isn't available, which an attacker can force on purpose. MTA-STS removes that fallback for your domain.

The problem it solves

Mail servers negotiate encryption opportunistically, meaning they use TLS if both sides support it but quietly fall back to plaintext if not. A network attacker can exploit this with a "downgrade attack," stripping the encryption so they can read or alter messages in transit. MTA-STS lets you publish a policy that says, in effect, "always deliver to me over verified TLS, and if you can't, don't deliver at all."

How it works

You publish two things: a DNS TXT record at _mta-sts.yourdomain.com that signals a policy exists, and a policy file hosted over HTTPS at a well-known URL on your domain that lists your mail servers and the enforcement mode. Sending servers fetch and cache that policy, then enforce TLS on future deliveries. A companion record, TLS-RPT, asks other servers to send you reports when a secure connection fails, so you can spot problems.

Where it fits

MTA-STS protects mail coming to your domain in transit. It's complementary to SPF, DKIM, and DMARC, which prove who a message is from. A strong posture uses both: authentication so you can't be impersonated, and MTA-STS so mail to you can't be silently downgraded and snooped. It's another control most free checkers ignore entirely.

Setting it up

Start in "testing" mode, which reports problems without enforcing, so you can confirm your policy matches your real mail servers before you switch to "enforce." Pair it with TLS-RPT from the start so you get the feedback. Several DNS and email providers now offer hosted MTA-STS that manages the policy file for you, which removes most of the operational fuss.

Our free checker reports whether MTA-STS is in place, along with SPF, DKIM, DMARC, and DNSSEC, so you can see your whole posture at once.

See your full email-security posture, including MTA-STS, in ten seconds.

Check your domain free

Related: What Is DNSSEC? · SPF, DKIM, and DMARC Explained · How We Grade

© 2026 Email PostureAboutPricingResourcesFAQSecurityHow We GradeTermsPrivacyContact