MTA-STS Validator and TLS-RPT Check
Shortcuts: / or Ctrl+L to focus, Esc to return
A resilient mail transport strategy demands accurate DNS, reachable HTTPS policies, and dependable TLS certificates. This validator mirrors sender behaviour: it collects the _mta-sts TXT record, fetches the policy file, verifies cache lifetimes, and checks whether your MX hosts align with declared patterns. Use the walkthrough to confirm each control before rolling MTA-STS into enforce mode.
TLS-RPT gives post-delivery visibility. By pulling the _smtp._tls record and surfacing reporting URIs, the tool helps you capture JSON reports that describe downgrade attempts, invalid certificates, or failed negotiations. Feed those insights into monitoring so your incident response plan covers both certificate renewal and mail flow resilience.
Related checks: SPF, DMARC, DKIM, BIMI.
Build a resilient MTA-STS rollout
Start in testing mode while you validate that every MX endpoint presents trusted certificates and supports modern TLS. Document who owns DNS, HTTPS hosting, and mail routing so renewals and configuration drift are caught before service interruptions scale.
Review cache lifetimes and plan a cadence for updating the policy ID whenever you rotate certificates or add an MX host. Coordinate with change management to propagate updates across CDNs, reverse proxies, and configuration repositories without introducing conflicting values.
Once telemetry stabilizes, elevate the policy to enforce mode and keep TLS-RPT enabled. Correlate the incoming reports with email queues and SIEM alerts to prove compliance with industry frameworks and detect anomalous delivery routes as soon as they appear.
MTA-STS FAQs
- What is MTA-STS?
- A policy that tells sending MTAs to require TLS and valid certificates when delivering mail to your domain, reducing downgrade and MitM risks.
- How does MTA-STS work?
- Publish a TXT record at _mta-sts.<domain> and host a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Senders fetch the policy and enforce TLS.
- What DNS records are required?
- A versioned TXT record at _mta-sts.<domain>. Optionally publish TLS-RPT at _smtp._tls.<domain> to receive failure reports.
- What should the policy file contain?
- Fields include version, mode (enforce, testing, none), mx, and max_age. Use enforce once you are confident TLS works for all MX hosts.
- How do I monitor issues?
- Enable TLS-RPT so providers send JSON reports of TLS failures. Review, remediate, and raise mode to enforce after stable results.
- Common misconfigurations
- Wrong hostnames in mx, policy not reachable, stale max_age, missing intermediates, or invalid certificates on MX hosts.