MTA-STS Generator

MTA-STS Record Generator

Create Mail Transfer Agent Strict Transport Security (MTA-STS) records to enhance email security

Score:50/100

2 Errors1 WarningStep 1 of 4

Domain Configuration

Domain Information

Domain *Enter the domain that will use MTA-STS for secure email delivery

Policy Mode

None

Disable MTA-STS (not recommended)

Testing

Monitor without enforcement (recommended first step)

Enforce

Actively enforce policy (production)

Policy is active but not enforced. Violations are reported but delivery continues.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) enables policy-driven authentication, encryption, and verification for SMTP connections, preventing man-in-the-middle attacks and downgrade attacks.

Policy will be published at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Live Preview

Score:50/100

Configure your domain and policy settings above to generate MTA-STS records

MTA-STS Information & Resources

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard defined in RFC 8461 that enables policy-driven authentication, encryption, and verification for SMTP connections between mail servers.

It helps prevent man-in-the-middle attacks and TLS downgrade attacks by ensuring that email delivery to your domain always uses encrypted connections and validates server certificates.

Key Benefits:

Prevents TLS Downgrade Attacks: Ensures encrypted email delivery
Certificate Validation: Verifies MX server certificates
Policy Enforcement: Allows testing before full enforcement
Failure Reporting: Works with TLS-RPT for monitoring

How MTA-STS Works

MTA-STS works through a two-part system:

1. DNS TXT Record

Published at _mta-sts.yourdomain.com, this record indicates that MTA-STS is enabled and provides a policy ID for cache management.

v=STSv1; id=20241201120000Z;

2. Policy File

Hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt, this file contains the actual policy rules and authorized MX servers.

version: STSv1
mode: enforce
mx: mail.example.com
mx: *.google.com
max_age: 604800

The sending mail server checks the DNS record, fetches the policy file, and enforces the rules when delivering email to your domain.

Policy Modes Explained

Mode	Behavior	Use Case
none	Policy exists but provides no security benefit. Equivalent to having no MTA-STS policy.	Disabling MTA-STS temporarily or initial setup testing
testing	Policy violations are reported via TLS-RPT but email delivery continues normally.	Recommended first step: Monitor for potential issues before enforcement
enforce	Policy is actively enforced. Non-compliant email delivery attempts will be rejected.	Production deployment after successful testing period

Important: Always start with "testing" mode and monitor TLS-RPT reports for at least a week before switching to "enforce" mode.

Deployment Guide

Step-by-Step Deployment Process

1Generate Records
Use this tool to generate your MTA-STS DNS record and policy file content
2Setup DNS Records
Add the MTA-STS TXT record to your DNS provider at _mta-sts.yourdomain.com
3Create Subdomain
Set up mta-sts.yourdomain.com with a valid SSL certificate
4Upload Policy File
Upload the policy file to https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
5Start in Testing Mode
Deploy with mode "testing" and enable TLS-RPT to monitor for issues
6Monitor and Enforce
After 1-2 weeks of monitoring, switch to "enforce" mode if no issues are found

Best Practices & Tips

deployment

Start with Testing Mode
Always deploy MTA-STS in "testing" mode first to monitor for any delivery issues before enforcing.
Use Appropriate Max Age
Use shorter max_age values (1 week) during testing, and longer values (1 month+) in enforce mode.
Monitor Policy Updates
Update the policy ID whenever you make changes to the policy file content.

security

Include All MX Records
Ensure all legitimate MX records are included in the policy to prevent delivery failures.
Use Wildcards Carefully
Wildcard MX records (*.example.com) provide flexibility but should be used cautiously.
HTTPS Policy Hosting
Ensure the policy file is served over HTTPS with a valid certificate from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

monitoring

Enable TLS-RPT
Enable TLS-RPT alongside MTA-STS to receive reports about TLS failures and policy violations.
Regular Policy Review
Regularly review and update your MTA-STS policy as your email infrastructure changes.

Common Issues & Solutions

IssueEmail Delivery Failures After Enabling Enforce Mode

Symptoms: Legitimate emails are being rejected or bouncing

Causes:

Missing MX servers in the policy file
MX servers without proper SSL certificates
Third-party email services not included in policy

Solutions:

Switch back to "testing" mode temporarily
Review TLS-RPT reports to identify missing MX servers
Add all legitimate MX servers to the policy
Verify SSL certificates on all MX servers

IssuePolicy File Not Accessible

Symptoms: DNS record exists but policy file returns 404 or SSL errors

Solutions:

Verify the policy file is uploaded to the exact path: /.well-known/mta-sts.txt
Ensure the subdomain mta-sts.yourdomain.com has a valid SSL certificate
Check that the web server serves the file with Content-Type: text/plain
Test accessibility from external networks

IssuePolicy Changes Not Taking Effect

Cause: Sending servers cache policies based on max_age and policy ID

Solutions:

Update the policy ID in the DNS record when making policy file changes
Wait for the max_age duration for changes to propagate
Use shorter max_age values during testing phase
Consider that some servers may take longer to update their cache

Testing & Validation Tools

Use these tools to test and validate your MTA-STS implementation:

MXToolbox MTA-STS Lookup
Check if your MTA-STS DNS record is properly configured
https://mxtoolbox.com/mta-sts.aspx
EasyDMARC MTA-STS Checker
Comprehensive validation of both DNS and policy file
https://easydmarc.com/tools/mta-sts-checker
Hardenize Security Scanner
Full email security analysis including MTA-STS
https://www.hardenize.com/
Manual Testing
Direct policy file access test
curl https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Test your implementation thoroughly before switching from "testing" to "enforce" mode.

Additional Resources

Technical Documentation

RFC 8461 - SMTP MTA Strict Transport SecurityOfficial
RFC 8460 - SMTP TLS ReportingRelated

Implementation Guides

Microsoft 365 MTA-STS Implementation Guide
Cloudflare MTA-STS Configuration
Google Workspace Email Security Setup
CISA Email Security Best Practices

Generator Tools

EasyDMARC MTA-STS Generator
Skysnag MTA-STS Record Generator
PowerDMARC Toolbox
YourDMARC MTA-STS Generator

Mode

Behavior

Use Case

none

Policy exists but provides no security benefit. Equivalent to having no MTA-STS policy.

Disabling MTA-STS temporarily or initial setup testing

testing

Policy violations are reported via TLS-RPT but email delivery continues normally.

Recommended first step: Monitor for potential issues before enforcement

enforce

Policy is actively enforced. Non-compliant email delivery attempts will be rejected.

Production deployment after successful testing period

MTA-STS Record Generator

Domain Configuration

Domain Information

Policy Mode

MTA-STS Information & Resources

Key Benefits:

1. DNS TXT Record

2. Policy File

Step-by-Step Deployment Process

deployment

security

monitoring

Technical Documentation

Implementation Guides

Generator Tools

Settings

System Utilization

MTA-STS Record Generator

Domain Configuration

Domain Information

Policy Mode

MTA-STS Information & Resources

Key Benefits:

1. DNS TXT Record

2. Policy File

Step-by-Step Deployment Process

deployment

security

monitoring

Technical Documentation

Implementation Guides

Generator Tools