What does the MTA-STS record checker validate?

The checker performs a complete validation: DNS TXT record at _mta-sts.domain.com, HTTPS policy file at mta-sts.domain.com/.well-known/mta-sts.txt, TLS certificate validity, and cross-validation of MX records against policy patterns.

Why is my MTA-STS policy not being fetched?

Common causes: the mta-sts subdomain doesn't exist, HTTPS is not configured, the certificate is invalid, the policy file path is wrong, or the server returns redirects (not allowed). The checker will report the specific error.

What does 'MX not covered by policy' mean?

This warning means one or more of your domain's MX records don't match any pattern in your MTA-STS policy. This is a security gap : add the missing MX patterns to your policy file to ensure all mail servers are covered.

Why does the checker show TLS errors?

MTA-STS requires the policy file to be served over HTTPS with a valid certificate. TLS errors can mean: expired certificate, self-signed certificate, hostname mismatch, or outdated TLS version. Fix the certificate on your mta-sts subdomain.

What's the difference between testing and enforce mode?

In 'testing' mode, sending servers report TLS failures but still deliver email. In 'enforce' mode, delivery is rejected if TLS fails. Use testing first to identify issues, then switch to enforce once you're confident your setup is correct.

How often should I check my MTA-STS configuration?

Check after any changes to DNS, MX records, or mail server configuration. Also verify after certificate renewals for the mta-sts subdomain. Regular monthly checks help catch issues before they affect email delivery.

How do I check MTA-STS for Microsoft 365 / Office 365?

Enter your domain in our MTA-STS checker. Microsoft 365 domains using custom domains need MTA-STS configured separately : Microsoft does not set this up automatically. You'll need to create the DNS TXT record and host the policy file yourself, or use a third-party service.

How do I verify MTA-STS for Google Workspace?

Use our MTA-STS lookup tool with your Google Workspace domain. Google Workspace supports MTA-STS but you must configure it yourself for custom domains. The checker validates your _mta-sts DNS record, fetches the policy, and verifies MX patterns match Google's mail servers (e.g., *.google.com or aspmx.l.google.com).

Free MTA-STS Checker - Lookup & Validate Records Online

Why check your MTA-STS

SMTP transport uses TLS opportunistically: if encryption fails, the connection silently falls back to cleartext. An attacker in a man-in-the-middle position can strip the STARTTLS banner and force your emails over the wire in plaintext.

MTA-STS (RFC 8461) closes this gap. It publishes an HTTPS-served policy backed by public PKI that tells sending MTAs to refuse any connection without valid TLS. It is the missing layer that blocks downgrade attacks and TLS spoofing.

Verifying your configuration before switching to enforce is critical:

Broken policy → legitimate emails may be blocked
Incomplete MX patterns → some servers remain vulnerable
Expired certificate → the policy becomes invalid and sending MTAs revert to opportunistic TLS

Common use cases:

After publication → confirm DNS, HTTPS policy, and TLS are consistent
Before mode: enforce → make sure no legitimate MX is excluded
Security audit → validate protection against TLS downgrade

How to use this checker in 3 steps

Step 1: enter the domain to analyze

Enter the domain exactly as it appears in your email addresses:

captaindns.com (main domain)
marketing.captaindns.com (subdomain if you send from a subdomain)

The tool automatically queries _mta-sts.domain, fetches https://mta-sts.domain/.well-known/mta-sts.txt, and compares patterns against MX records.

Step 2: analyze the results

The checker displays:

Element	Description
TXT record	`STSv1` version and unique policy ID
HTTPS policy	Content of `.well-known/mta-sts.txt`
Mode	`none`, `testing`, or `enforce`
MX patterns	List of hosts authorized by the policy
max_age	Policy cache duration in seconds
TLS certificate	Validity, expiry, TLS version on the `mta-sts` subdomain
MX coverage	All resolved MX hosts match a pattern

Step 3: fix the flagged issues

Results are classified by severity:

Critical → the policy is unusable, sending MTAs ignore it
Warning → functional but exposes you to risk or partial protection
Info → best practice, non-blocking

Fix DNS or the policy file, wait for propagation, then re-run the checker.

What is MTA-STS?

MTA-STS (SMTP MTA Strict Transport Security, RFC 8461) is a mechanism that:

Publishes an HTTPS policy declaring which MX hosts support TLS
Enforces TLS encryption between sending and receiving MTAs
Blocks downgrade attacks that strip STARTTLS

The architecture combines three elements:

Element	Role
DNS TXT record	Published at `_mta-sts.domain`. Signals the policy exists and gives its ID.
HTTPS policy	Served at `https://mta-sts.domain/.well-known/mta-sts.txt`. Contains mode, MX, max_age.
TLS certificate	The `mta-sts` subdomain must present a valid certificate from a trusted CA.

Example DNS record:

_mta-sts.captaindns.com. IN TXT "v=STSv1; id=20260501T000000Z"

Example policy:

version: STSv1
mode: enforce
mx: mail.captaindns.com
mx: *.mail.captaindns.com
max_age: 604800

Difference vs DANE: MTA-STS relies on public PKI (certificate authorities), DANE relies on DNSSEC and TLSA records. Both mechanisms are compatible and can be deployed together.

What the checker verifies

Seven dimensions run in parallel to produce a 0-100 score:

Published DNS record

Check	Error if...
TXT present at `_mta-sts.domain`	No record
Starts with `v=STSv1`	Missing or malformed prefix
`id=` field present	ID missing or invalid characters
Single record	Multiple MTA-STS TXT records detected

Policy file fetch

Check	Error if...
URL reachable via HTTPS	Connection refused or timeout
No redirects	Server responds 3xx instead of 200
Content-Type `text/plain`	Wrong MIME type
Cleartext HTTP rejected	Policy served on port 80

Policy syntax

Check	Error if...
`version: STSv1` present	Line missing or unknown version
Valid `mode:`	Value other than `none`, `testing`, `enforce`
At least one `mx:` line	No MX pattern defined
`max_age:` in range	Outside RFC bounds (1 to 31557600 seconds)

MX server coverage

All resolved MX hosts for the domain must match at least one pattern:

Direct match: mx: mail.captaindns.com covers mail.captaindns.com
Wildcard limited to one label: *.mail.captaindns.com covers eu.mail.captaindns.com but not mail.captaindns.com

TLS certificate validity

The mta-sts.domain subdomain is probed over HTTPS:

Certificate not expired
Hostname present in SAN
Full chain to a recognized CA
Recent TLS version (1.2 minimum)

DNS and policy consistency

The DNS ID and the served policy ID must match. A mismatch indicates a partial update dangerous for sending MTA caches.

TLS-RPT presence

The checker flags missing _smtp._tls (TLS-RPT, RFC 8460) records. Without TLS-RPT, you'll never know if the policy is causing silent delivery failures.

Common diagnostics and solutions

Policy unreachable (policy_fetch_failed)

Cause: the mta-sts.domain subdomain does not respond, does not serve HTTPS, or returns an HTTP error.

Solutions:

Verify that mta-sts.domain resolves in DNS (A or CNAME)
Confirm a valid TLS certificate is served (Let's Encrypt, autocert, etc.)
Confirm /.well-known/mta-sts.txt returns 200 OK with text/plain

Invalid TLS certificate (cert_invalid)

Cause: expired certificate, self-signed, hostname not covered by SAN, or incomplete chain.

Solutions:

Renew the certificate before expiry
Include mta-sts.domain in the SAN
Serve the complete intermediate chain

Missing DNS record (missing_record)

Cause: no TXT record exists at _mta-sts.domain.

Solution: publish

_mta-sts.captaindns.com. IN TXT "v=STSv1; id=20260501T000000Z"

Policy disabled (mode_none)

Cause: mode: none indicates MTA-STS is advertised but not effective.

Solution: switch to mode: testing after the initial publication, then mode: enforce once TLS-RPT is clean.

Partial MX coverage (mx_partial_match)

Cause: one or more resolved MX hosts do not match any pattern in the policy.

Solution: list each MX host explicitly or use a broader wildcard that fits your infrastructure.

TLS-RPT missing (tls_rpt_missing)

Cause: no _smtp._tls.domain record is published.

Solution: publish

_smtp._tls.captaindns.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@captaindns.com"

Progression from testing to enforce

Phase 1: initial publication in testing mode

version: STSv1
mode: testing
mx: mail.captaindns.com
max_age: 86400

Sending MTAs report TLS failures via TLS-RPT without blocking delivery
Keep max_age short (1 to 7 days) to iterate quickly
Collect TLS-RPT reports for 2 to 4 weeks

Phase 2: stabilization and observation

During this period, check:

No legitimate MX excluded (TLS-RPT would report mx-mismatch failures)
No certificate problems on MX hosts (TLS-RPT would report certificate-not-trusted)
No sending MTA struggling (empty or null reports)

Phase 3: switching to enforce mode

version: STSv1
mode: enforce
mx: mail.captaindns.com
max_age: 604800

Extend max_age (7 days minimum, up to 1 year)
Monitor TLS-RPT continuously: failures now become non-delivery
Prepare a rollback plan (revert to testing quickly if needed)

Common pitfalls:

max_age too short → sending MTAs re-fetch the policy too often, useless load
max_age too long → an MX change takes weeks to propagate
Incomplete MX patterns → legitimate emails are silently rejected

MTA-STS vs DANE

Both mechanisms protect SMTP transport from downgrade attacks but take different approaches.

Criterion	MTA-STS	DANE
RFC	8461	7672
Prerequisites	Public PKI (CA)	Signed DNSSEC
Distribution	DNS TXT + HTTPS	DNS (TLSA records)
Pinning	No	Yes (certificate fingerprint)
Sending MTA adoption	Wide (Gmail, Outlook)	Limited outside German ecosystem
Reporting	TLS-RPT (RFC 8460)	TLS-RPT (RFC 8460)
Implementation cost	Moderate (DNS + HTTPS)	High (DNSSEC mandatory)

When to choose MTA-STS: you don't have DNSSEC, or you want a quick rollout with minimal operational overhead.

When to choose DANE: your domain is already DNSSEC-signed and you want the extra guarantee of cryptographic pinning.

Both are compatible and can be deployed in parallel. Sending MTAs pick the one they know how to handle.

Complementary tools and resources

Tool	Purpose
MTA-STS Syntax Checker	Validate policy syntax BEFORE publication
MTA-STS Generator	Generate compliant TXT record and HTTPS policy
MTA-STS Hosting	Host your policy for free with managed TLS
TLS-RPT Checker	Verify the associated TLS-RPT record
DMARC Inspector	Complete email authentication with DMARC
MX Lookup	Inspect the domain's MX records

Resources: