Question 1

What is MTA-STS?

Accepted Answer

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that enables mail servers to declare their ability to receive TLS-secured connections. It prevents downgrade attacks and man-in-the-middle attacks during email delivery by requiring sending servers to use encrypted connections.

Question 2

What do I need to set up MTA-STS?

Accepted Answer

You need three things: (1) A DNS TXT record at _mta-sts.yourdomain.com, (2) A policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt, and (3) A valid HTTPS certificate for mta-sts.yourdomain.com.

Question 3

MTA-STS vs DANE: which should I use?

Accepted Answer

DANE requires DNSSEC, which not all TLDs support (e.g., .ai domains). MTA-STS works without DNSSEC by using the HTTPS PKI instead. If your domain supports DNSSEC, you can use both. If not, MTA-STS is your best option for enforcing TLS.

Question 4

How do I test my MTA-STS configuration?

Accepted Answer

Start with mode: testing, which reports failures via TLS-RPT without blocking email. Monitor the TLS reports to ensure all sending servers can connect securely. Once confident, switch to mode: enforce.

Question 5

Can I host the MTA-STS policy on Cloudflare?

Accepted Answer

Yes. You can use a Cloudflare Worker to serve the MTA-STS policy file at the required URL. Alternatively, use Cloudflare Pages or any web server that can serve a static text file over HTTPS.

MTA-STS Policy Generator

Policy Mode

MX Hosts

Cache Duration (max_age)

1. DNS TXT Record

2. Policy File

Frequently Asked Questions

SPF Generator

DMARC Generator

BIMI Generator