MTA-STS Policy Generator
Generate an MTA-STS policy file and DNS records to enforce TLS encryption for inbound email. Includes the policy file, MTA-STS TXT record, and TLS-RPT reporting record.
Reports failures but still delivers email. Start with this mode to identify issues before enforcing.
Use wildcards like *.google.com for Google Workspace, or *.outlook.com for Microsoft 365.
Cache duration: 7 days. Recommended: 604800 (7 days) for testing, 86400-31557600 for production.
Email address to receive TLS-RPT reports about delivery failures.
Like this tool? Try Sequenzy for free
AI-powered email marketing with Stripe integration, automations, and built-in analytics.
About this tool
MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers that your domain requires encrypted TLS connections for email delivery. Without MTA-STS, an attacker could intercept the connection between mail servers and downgrade it from encrypted to plaintext, exposing email content. MTA-STS prevents this by publishing a policy that senders must verify before delivering email to your domain.
This generator creates the three components you need to deploy MTA-STS: the policy file that gets hosted on your web server, the DNS TXT record that advertises the policy, and the TLS-RPT record that lets senders report delivery failures to you.
How MTA-STS works
When a sending server wants to deliver email to your domain, it first checks for an MTA-STS DNS record at _mta-sts.yourdomain.com. If found, it fetches the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The policy specifies which MX hosts are authorized and whether to enforce TLS. In "testing" mode, the sender delivers the email regardless but reports failures. In "enforce" mode, the sender refuses to deliver if a secure connection cannot be established.
Implementation steps
Start with "testing" mode to identify any TLS issues without blocking legitimate email. Set up the TLS-RPT record so you receive reports about connection failures. Monitor the reports for 2-4 weeks. If no issues appear, switch to "enforce" mode. You will need an SSL certificate for the mta-sts subdomain, which most certificate providers (including Let's Encrypt) support.
Part of a complete email security setup
MTA-STS protects inbound email encryption. Pair it with SPF, DKIM, and DMARC to protect against spoofing and phishing. Together these protocols form a comprehensive email security framework. Use our SPF checker, DKIM checker, and DMARC checker to verify your existing authentication setup before adding MTA-STS.
After deploying MTA-STS, check your overall email security posture with the domain reputation checker. A complete setup with SPF, DKIM, DMARC, and MTA-STS gives you the highest possible security rating.
Frequently Asked Questions
More Free Tools
View all toolsMailto Link Generator
Build mailto links with pre-filled recipients, CC, BCC, subject lines, and body text. Copy the URL or HTML code and add it to your website, email, or documents.
Free Email Validator
Verify email addresses to reduce bounce rates and improve deliverability. Our tool checks syntax, domain validity, and MX records.
Churn Rate Calculator
Calculate your customer and revenue churn rate with monthly, quarterly, and annual projections. Compare against SaaS benchmarks by company segment and estimate customer lifetime.
Free YoY Growth Calculator
Calculate your year-over-year growth rate for revenue, subscribers, users, or any metric. Compare against industry benchmarks, track multi-year trends, and get CAGR calculations — all in one tool.