Free Tool

MTA-STS Record & Policy Generator

MTA-STS requires two things: a DNS record and a policy file at a specific HTTPS URL. Missing either one makes the whole setup fail. Generate both here.

Your domain

MTA-STS Mode

How should sending servers handle TLS failures when delivering to your domain?

testing Testing — Log failures without rejecting. Good for rollout. enforce Enforce — Require TLS. Reject delivery if encryption fails. none None — Disable MTA-STS policy.

Max Age (max_age)

How long sending servers should cache your MTA-STS policy.

1 day 86400s 1 week 604800s 30 days 2592000s 1 year 31557600s

MX Hostnames

One MX host per line. These are the mail servers authorized to receive email for your domain.

DNS TXT Record

DNS Record Name

_mta-sts.yourdomain.com

TXT

Record Value

v=STSv1; id=;

Policy File

File Location

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

File Content

version: STSv1
mode: testing
max_age: 604800

Host this file at the exact URL shown above. Your web server must serve it over HTTPS.

How to set up MTA-STS

Add the DNS TXT record above at _mta-sts in your DNS provider
Create the policy file with the content shown above
Host the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
Ensure HTTPS is properly configured on mta-sts.yourdomain.com
Test with the MTA-STS Checker

Get your MTA-STS record + policy file hosting guide

No spam. Unsubscribe any time.

Understanding MTA-STS

What is MTA-STS?

Mail Transfer Agent Strict Transport Security (MTA-STS) ensures that email sent to your domain is always encrypted with TLS during transit. It prevents man-in-the-middle attacks that strip encryption from email delivery.

How do I choose the right mode?

Start with 'testing' to monitor without blocking email. Once you've confirmed all sending servers support TLS, switch to 'enforce'. Use 'none' only to explicitly disable a previously active policy.

What should I put in the MX hostnames?

List every MX host that handles email for your domain. These must match your DNS MX records. Sending servers will only deliver to hosts listed in your policy file.

How often should I update the policy ID?

Update the id= value in your DNS TXT record every time you change the policy file. Sending servers use this ID to detect when your policy has changed and re-fetch it.

Related Free Tools

MTA-STS Checker → DMARC Record Generator → Deliverability Health Check →

TLS Enforcement Only Works If the Policy File Stays Reachable.

Once you set up MTA-STS, InboxEagle monitors your TLS enforcement continuously — alerting you when certificates expire, MX records change, or policy drift weakens your email transport security.

Start Free 14-Day Trial

No credit card required · Cancel anytime

Not ready yet? See how Email Security Monitoring works →