Free MTA-STS Checker Tool

MTA-STS Checker

Enter any domain to check its MTA-STS configuration. We validate the DNS record, fetch the policy file, check the enforcement mode, and verify TLS-RPT reporting so you know whether encrypted email delivery is actually being enforced.

What Your Results Mean

Understanding Your MTA-STS Check

Here's what each result means and what to do next.

MTA-STS Pass

Your domain enforces encrypted email delivery

A passing result means your MTA-STS DNS record exists, your policy file is correctly hosted and formatted, and your policy mode is set to enforce. Sending servers that support MTA-STS will require a verified TLS connection before delivering email to your domain. To complete your encrypted delivery setup, make sure TLS-RPT is also configured so you get reports when connections fail.

Valid MTA-STS DNS record found
Policy file is accessible and correctly formatted
Policy mode is set to enforce
MX hosts are listed and match your mail servers

Check Your TLS-RPT Run a Full Audit

Common MTA-STS Issues

Common MTA-STS Problems and How to Fix Them

These are the MTA-STS problems we see most often. If your check flagged any of these, here's what they mean and how to fix them.

Missing Policy File

DNS record without the policy

MTA-STS requires two components working together: a TXT record in DNS and a policy file hosted on your web server. Many domains publish the DNS record but forget to host the policy file (or host it at the wrong URL). The policy file must be accessible at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over a valid HTTPS connection. Without it, sending servers find the DNS record but have no policy to follow.

The DNS record exists but the policy file is not accessibleMTA-STS requires both a DNS record AND a hosted policy fileFix: host mta-sts.txt at https://mta-sts.yourdomain.com/.well-known/

How to host your policy file (Coming Soon)

Stuck in Testing Mode

Monitoring but not protecting

Testing mode is the right way to start with MTA-STS. It tells sending servers to attempt TLS and report failures, but still allows plaintext delivery if TLS fails. The problem is staying in testing mode indefinitely. While it gives you visibility through TLS-RPT reports, it does not actually prevent downgrade attacks. Once you have confirmed that all major senders can establish TLS connections, switch to enforce mode.

Testing mode reports TLS failures but still delivers in plaintextYour domain is not actually protected from downgrade attacksFix: review TLS-RPT reports, then change mode to enforce

How to move to enforce mode (Coming Soon)

MX Host Mismatch

Policy and DNS out of sync

The MX hosts listed in your MTA-STS policy file must match the MX records in your DNS. If a sending server resolves your MX records and finds a host that is not listed in the policy file, it may refuse to deliver email to that server (in enforce mode) or report a failure (in testing mode). This is especially common after changing email providers or adding backup mail servers without updating the policy file.

Policy file lists different MX hosts than your DNS MX recordsSending servers may refuse delivery to unlisted hostsFix: update the mx lines in your policy file to match DNS

How to configure MX hosts (Coming Soon)

No TLS-RPT Configured

No reporting on encrypted delivery

TLS-RPT is the companion protocol to MTA-STS. It tells sending servers where to send reports when they encounter TLS connection issues with your mail servers. Without TLS-RPT, you have no way to know when encrypted delivery is failing. You could be losing emails or falling back to plaintext without any visibility. Adding a TLS-RPT record takes minutes and gives you the data you need to troubleshoot and maintain MTA-STS.

Without TLS-RPT, you have no visibility into TLS connection failuresYou won't know when sending servers fail to establish encrypted connectionsFix: publish a TLS-RPT TXT record at _smtp._tls.yourdomain.com

Check your TLS-RPT

Why It Matters

Why MTA-STS Matters for Your Business

MTA-STS is the protocol that enforces encrypted email delivery. Without it, TLS connections can be silently downgraded to plaintext, exposing your messages to interception.

Email Can Be Intercepted in Transit

Without MTA-STS, attackers can perform TLS downgrade attacks that force email connections to fall back to unencrypted plaintext. This allows them to read, modify, or redirect messages in transit. MTA-STS prevents this by requiring sending servers to use verified TLS connections.

TLS Support Alone Is Not Enough

Most mail servers support TLS, but support is not the same as enforcement. Without MTA-STS, a sending server that encounters a TLS error will silently fall back to plaintext rather than refusing delivery. MTA-STS changes that behavior by telling senders to fail rather than downgrade.

You Have No Visibility Into Delivery Failures

Without TLS-RPT alongside MTA-STS, you have no way to know when sending servers fail to establish encrypted connections with your mail servers. TLS failures can cause lost emails or plaintext delivery, and you only find out when someone reports a missing message.

Compliance and Security Frameworks Expect It

Security frameworks and compliance standards increasingly expect encrypted email delivery. MTA-STS demonstrates that your organization actively enforces transport-layer security rather than relying on opportunistic TLS that can be bypassed.

See How iO DMARC Helps

Complete Protocol Coverage

Check Your Full Email Authentication with iO™ DMARC

SPF is one piece of the puzzle. Use these tools to check the rest of your email authentication stack.

SPF

SPF Checker

Validate your SPF record and confirm which servers are authorized to send on your behalf. SPF verifies the sender, MTA-STS protects the delivery path.

Check SPF

DKIM

DKIM Checker

Verify your DKIM signature to make sure outgoing emails are cryptographically signed. DKIM protects message content, MTA-STS protects the connection.

Check DKIM

DMARC

DMARC Checker

Check your DMARC policy and alignment. DMARC enforces authentication at the sender level, while MTA-STS enforces encryption at the transport level.

Check DMARC

BIMI

BIMI Checker

See if your domain qualifies to display your brand logo in supported inboxes. BIMI is the visible reward of a fully authenticated, securely delivered email.

Check BIMI

TLS-RPT

TLS-RPT Checker

Verify your TLS reporting setup. TLS-RPT is the reporting companion to MTA-STS, it tells you when enforced encryption fails so you can act on it.

Check TLS-RPT

Email Audit

Email Authentication Audit

Get a complete picture of your SPF, DKIM, DMARC, BIMI, and MTA-STS configuration in one report. See what’s working, what’s broken, and what to fix first.

Run Free Audit

Ready to secure your email domain?

MTA-STS secures the delivery path. iO™ DMARC manages that and every other layer of your email authentication.

Get Started with iO™ DMARC Schedule a Demo

Learn More

Learn About MTA-STS

Want to go deeper? These guides explain how MTA-STS works, how to set it up, and how TLS-RPT reporting fits into your email security stack.

What Is MTA-STS and How to Set It Up

A complete guide to MTA-STS: what it does, how to create the DNS record and policy file, how to choose between testing and enforce mode, and how to maintain your configuration.

Read the guide (Coming Soon)

Check Your TLS-RPT Configuration

TLS-RPT is the companion to MTA-STS. Use our free checker to verify that your TLS reporting is configured and that you are receiving encrypted delivery failure reports.

Check your TLS-RPT

Managed MTA-STS and TLS-RPT

Don't want to host policy files and parse TLS reports yourself? iO DMARC handles MTA-STS policy hosting, TLS-RPT configuration, and encrypted delivery monitoring for you.

Learn more

Explore iO DMARC

Ready to Enforce Encrypted Email Delivery?

Found issues with your MTA-STS configuration? Or just want someone to handle encrypted delivery and TLS reporting so you don't have to think about it? Let's talk.

Want Encrypted Delivery, Enforced?

iO™ DMARC generates your MTA-STS policy, hosts the policy file for you, and alerts you the moment a connection falls back to unencrypted. One less piece of DNS to babysit.

Explore iO™ DMARC

Free MTA-STS configuration review

Policy file hosting included

TLS-RPT monitoring and reporting

Full email authentication stack managed