MTA-STS Record Checker
Without MTA-STS, email delivered to your domain travels over unencrypted connections — vulnerable to interception. Enter your domain to check your MTA-STS record and verify TLS enforcement is configured.
MTA-STS Record at
Get your MTA-STS validation report + TLS security guide
No spam. Unsubscribe any time.
Report sent! Check your inbox in the next few minutes.
Understanding MTA-STS
What is MTA-STS?
Mail Transfer Agent Strict Transport Security (MTA-STS) tells sending servers that your domain requires TLS encryption for email delivery. Without it, email can be downgraded to unencrypted transmission via MITM attacks.
How does MTA-STS work?
MTA-STS uses two components: a DNS TXT record at _mta-sts.{domain} and a policy file at https://mta-sts.{domain}/.well-known/mta-sts.txt. The TXT record signals support, and the policy file specifies the MX hosts and enforcement mode.
What are the MTA-STS modes?
'enforce' requires TLS and rejects delivery if encryption fails. 'testing' logs failures without rejecting (good for rollout). 'none' disables the policy.
Do I need MTA-STS?
If your domain sends or receives email, MTA-STS protects against downgrade attacks where an attacker strips TLS encryption from email in transit. It's especially important for domains handling sensitive information.
Related Free Tools
TLS Encryption Breaks Without Warning. You Need to Know.
Stop running manual checks. InboxEagle monitors your sender reputation, authentication, and blacklist status 24/7 — and alerts you the moment something breaks.
Start Free 14-Day TrialNo credit card required · Cancel anytime