What is MTA-STS and how to set it up?
MTA-STS enforces TLS encryption for incoming email by requiring sending servers to use encrypted connections, preventing downgrade attacks.
Detailed Answer
MTA-STS (Mail Transfer Agent Strict Transport Security) prevents man-in-the-middle and downgrade attacks during email delivery.
How MTA-STS works:
- Sending mail server discovers your MTA-STS DNS record
- It fetches your policy file over HTTPS
- If mode is "enforce", it refuses to deliver email without TLS
- Failed deliveries are reported via TLS-RPT
Three components needed:
- DNS TXT record at
_mta-sts.yourdomain.com:v=STSv1; id=20240101 - Policy file at
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt - Valid HTTPS certificate for mta-sts.yourdomain.com
Setup with IntoDNS.AI generator: Use https://intodns.ai/tools/mta-sts-generator to generate both the DNS record and policy file content.
MTA-STS vs DANE:
- DANE requires DNSSEC (not available on all TLDs, e.g., .ai)
- MTA-STS uses HTTPS PKI instead of DNSSEC
- Both can be used together if DNSSEC is available
- MTA-STS is the practical choice for most domains
Recommended rollout:
- Start with mode: testing (reports failures, doesn't block)
- Monitor TLS-RPT reports
- Switch to mode: enforce once confident
Learn more: https://intodns.ai/learn/mta-sts
Check your domain now
Use IntoDNS.ai to scan your domain and get instant security insights.
Scan Your DomainRelated Questions
What is SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are email authentication standards that verify sender identity and prevent email spoofing.
How to check my domain email security?
Use IntoDNS.AI to instantly scan your domain for SPF, DKIM, DMARC, DNSSEC, MTA-STS, and BIMI configuration with a security grade from A+ to F.
Why do my emails go to spam?
Emails go to spam when missing SPF, DKIM, or DMARC authentication, or when sent from blacklisted servers.