Free Tool

MTA-STS Record & Policy Generator

MTA-STS requires two things: a DNS record and a policy file at a specific HTTPS URL. Missing either one makes the whole setup fail. Generate both here.

Your domain

MTA-STS Mode

How should sending servers handle TLS failures when delivering to your domain?

testing Testing — Log failures without rejecting. Good for rollout. enforce Enforce — Require TLS. Reject delivery if encryption fails. none None — Disable MTA-STS policy.

Max Age (max_age)

How long sending servers should cache your MTA-STS policy.

1 day 86400s 1 week 604800s 30 days 2592000s 1 year 31557600s

MX Hostnames

One MX host per line. These are the mail servers authorized to receive email for your domain.

DNS TXT Record

DNS Record Name

_mta-sts.yourdomain.com

TXT

Record Value

v=STSv1; id=;

Policy File

File Location

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

File Content

version: STSv1
mode: testing
max_age: 604800

Host this file at the exact URL shown above. Your web server must serve it over HTTPS.

How to set up MTA-STS

Add the DNS TXT record above at _mta-sts in your DNS provider
Create the policy file with the content shown above
Host the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
Ensure HTTPS is properly configured on mta-sts.yourdomain.com
Test with the MTA-STS Checker

Understanding MTA-STS

What is MTA-STS?

Mail Transfer Agent Strict Transport Security (MTA-STS) ensures that email sent to your domain is always encrypted with TLS during transit. It prevents man-in-the-middle attacks that strip encryption from email delivery.

How do I choose the right mode?

Start with 'testing' to monitor without blocking email. Once you've confirmed all sending servers support TLS, switch to 'enforce'. Use 'none' only to explicitly disable a previously active policy.

What should I put in the MX hostnames?

List every MX host that handles email for your domain. These must match your DNS MX records. Sending servers will only deliver to hosts listed in your policy file.

How often should I update the policy ID?

Update the id= value in your DNS TXT record every time you change the policy file. Sending servers use this ID to detect when your policy has changed and re-fetch it.

Related Free Tools

MTA-STS Checker → DMARC Record Generator → Deliverability Health Check →

Why We Built This Tool

Most MTA-STS policies are hand-coded, leading to syntax errors, wrong max_age values, and missing MX host entries. DNS record strings are prone to typos. This tool generates both — the exact TXT record and the policy file you need.

What Goes Wrong Without This

Mistyped MTA-STS policies silently fail — sending servers don't understand the DNS TXT record or can't fetch the policy file. Email continues unencrypted without any error. If the HTTPS endpoint goes offline, senders fall back to unencrypted delivery. Teams don't discover policy failures until weeks of unencrypted email have accumulated.

Who This Tool Is For

E-commerce & DTC Brands

Generate MTA-STS policies for customer email protection — enforce TLS encryption for your sending domain in 'testing' mode, then upgrade to 'enforce' after validation.

Email Marketing Agencies

Build standardized MTA-STS policies for client domains. Generate exact DNS and HTTPS records to avoid DNS syntax errors and policy file misconfiguration.

B2B SaaS & Outbound Teams

Create MTA-STS policies for outbound sending domains and transactional email. Define MX hosts and start in 'testing' mode before enforcing TLS-only delivery.

Frequently Asked Questions

What are the three MTA-STS modes?

'testing' logs TLS failures without rejecting email (good for validation). 'enforce' rejects any email that fails TLS encryption. 'none' disables the policy. Most teams start with 'testing' for 30 days, then graduate to 'enforce' once all MX servers support TLS.

How long should I set the max_age value?

max_age controls how long sending servers cache your policy. Start with 1 week (604800 seconds) to make updates easy, then increase to 30 days or 1 year once you're confident in your policy. Never set it less than 1 day.

What happens if the policy file is unreachable?

Sending servers will fall back to the last cached policy until the cache expires. If your policy file goes offline for weeks, mail servers may start downgrading to unencrypted delivery. You must monitor policy file availability continuously.

Do I need an InboxEagle account to use this tool?

No. This tool is completely free and requires no account or sign-up. InboxEagle provides it as a standalone resource for email marketers, developers, and agencies.

TLS Enforcement Only Works If the Policy File Stays Reachable.

Once you set up MTA-STS, InboxEagle monitors your TLS enforcement continuously — alerting you when certificates expire, MX records change, or policy drift weakens your email transport security.

Start Free 14-Day Trial

No credit card required · Cancel anytime

Not ready yet? See how Email Security Monitoring works →