Free Tool

MTA-STS Record Checker

Without MTA-STS, email delivered to your domain travels over unencrypted connections — vulnerable to interception. Enter your domain to check your MTA-STS record and verify TLS enforcement is configured.

Understanding MTA-STS

What is MTA-STS?

Mail Transfer Agent Strict Transport Security (MTA-STS) tells sending servers that your domain requires TLS encryption for email delivery. Without it, email can be downgraded to unencrypted transmission via MITM attacks.

How does MTA-STS work?

MTA-STS uses two components: a DNS TXT record at _mta-sts.{domain} and a policy file at https://mta-sts.{domain}/.well-known/mta-sts.txt. The TXT record signals support, and the policy file specifies the MX hosts and enforcement mode.

What are the MTA-STS modes?

'enforce' requires TLS and rejects delivery if encryption fails. 'testing' logs failures without rejecting (good for rollout). 'none' disables the policy.

Do I need MTA-STS?

If your domain sends or receives email, MTA-STS protects against downgrade attacks where an attacker strips TLS encryption from email in transit. It's especially important for domains handling sensitive information.

Related Free Tools

MTA-STS Generator → DMARC Record Checker → Deliverability Health Check →

Why We Built This Tool

Most teams publish MTA-STS and assume TLS enforcement is working — but policy files go missing, DNS records stop resolving, or certificates expire silently. Without periodic verification, email starts downgrading to unencrypted connections weeks after a configuration breaks.

What Goes Wrong Without This

Email downgrade attacks let attackers intercept unencrypted messages. When MTA-STS policy breaks (missing file, DNS misconfiguration, or certificate errors), mail servers silently fall back to unencrypted SMTP. ISPs and attackers can then read the email, and teams don't discover the failure until data loss occurs.

Who This Tool Is For

E-commerce & DTC Brands

Verify MTA-STS is enforced for your domain — protects customer email from MITM interception during transit.

Email Marketing Agencies

Audit MTA-STS implementation across client domains. Validate TLS enforcement matches security policies and identify missing or misconfigured policy files.

B2B SaaS & Outbound Teams

Monitor MTA-STS status for sending and receiving domains. Ensure TLS enforcement policies are live and responsive before enforcement impacts deliverability.

Frequently Asked Questions

What is MTA-STS and why does it matter?

MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for email sent to your domain. Without it, email can be downgraded to unencrypted transmission via MITM attacks, exposing sensitive messages in transit.

What's the difference between enforce and testing modes?

'enforce' mode rejects unencrypted delivery entirely — if TLS fails, email bounces. 'testing' mode logs failures without rejecting, letting you validate your MX configuration before enforcement. Most teams start in 'testing' for 30 days, then move to 'enforce'.

How do I implement MTA-STS?

Create two resources: (1) A DNS TXT record at _mta-sts.yourdomain.com pointing to your policy version, and (2) A policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt listing your MX servers. Both must be correct for MTA-STS to work.

Do I need an InboxEagle account to use this tool?

No. This tool is completely free and requires no account or sign-up. InboxEagle provides it as a standalone resource for email marketers, developers, and agencies.

TLS Encryption Breaks Without Warning. You Need to Know.

Stop running manual checks. InboxEagle monitors your sender reputation, authentication, and blacklist status 24/7 — and alerts you the moment something breaks.

Start Free 14-Day Trial

No credit card required · Cancel anytime