Free Tool - No Signup Required

MTA-STS Policy Generator

Q: MTA-STS vs DANE: which should I use?

DANE requires DNSSEC, which not all TLDs support (e.g., .ai domains). MTA-STS works without DNSSEC by using the HTTPS PKI instead. If your domain supports DNSSEC, you can use both. If not, MTA-STS is your best option for enforcing TLS.

Generate MTA-STS DNS records and policy files to enforce TLS encryption for inbound email. Prevent downgrade attacks.

Policy Mode

MX Hosts

List the MX hostnames that receive email for your domain. Use wildcards like *.example.com to match subdomains.

mx:

Cache Duration (max_age)

1. DNS TXT Record

Add this TXT record at _mta-sts.yourdomain.com

v=STSv1; id=STSv1_placeholder

2. Policy File

Host this file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

version: STSv1
mode: testing
max_age: 604800

Setup Checklist:

Create a subdomain mta-sts.yourdomain.com pointing to a web server
Install a valid HTTPS certificate for mta-sts.yourdomain.com
Host the policy file at /.well-known/mta-sts.txt
Add the DNS TXT record at _mta-sts.yourdomain.com
Optionally add a TLS-RPT record for failure reporting

Verify with IntoDNS.AI Learn about MTA-STS

Frequently Asked Questions

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that enables mail servers to declare their ability to receive TLS-secured connections. It prevents downgrade attacks and man-in-the-middle attacks during email delivery by requiring sending servers to use encrypted connections.

What do I need to set up MTA-STS?

You need three things: (1) A DNS TXT record at _mta-sts.yourdomain.com, (2) A policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt, and (3) A valid HTTPS certificate for mta-sts.yourdomain.com. The policy file must be served over HTTPS with a valid certificate.

MTA-STS vs DANE: which should I use?

DANE (DNS-based Authentication of Named Entities) requires DNSSEC, which not all TLDs support (e.g., .ai domains). MTA-STS works without DNSSEC by using the HTTPS PKI instead. If your domain supports DNSSEC, you can use both. If not, MTA-STS is your best option for enforcing TLS.

How do I test my MTA-STS configuration?

Start with mode: testing, which reports failures via TLS-RPT without blocking email. Monitor the TLS reports to ensure all sending servers can connect securely. Once you're confident, switch to mode: enforce. Use IntoDNS.AI to verify your MTA-STS configuration.

Can I host the MTA-STS policy on Cloudflare?

Yes. You can use a Cloudflare Worker to serve the MTA-STS policy file at the required URL (https://mta-sts.yourdomain.com/.well-known/mta-sts.txt). Alternatively, use Cloudflare Pages or any web server that can serve a static text file over HTTPS.