MTA-STS Policy Generator
Generate an MTA-STS policy file and DNS records to enforce TLS encryption for inbound email. Includes the policy file, MTA-STS TXT record, and TLS-RPT reporting record.
Reports failures but still delivers email. Start with this mode to identify issues before enforcing.
Use wildcards like *.google.com for Google Workspace, or *.outlook.com for Microsoft 365.
Cache duration: 7 days. Recommended: 604800 (7 days) for testing, 86400-31557600 for production.
Email address to receive TLS-RPT reports about delivery failures.
Like this tool? Try Sequenzy for free
AI-powered email marketing with Stripe integration, automations, and built-in analytics.
About this tool
MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers that your domain requires encrypted TLS connections for email delivery. Without MTA-STS, an attacker could intercept the connection between mail servers and downgrade it from encrypted to plaintext, exposing email content. MTA-STS prevents this by publishing a policy that senders must verify before delivering email to your domain.
This generator creates the three components you need to deploy MTA-STS: the policy file that gets hosted on your web server, the DNS TXT record that advertises the policy, and the TLS-RPT record that lets senders report delivery failures to you.
How MTA-STS works
When a sending server wants to deliver email to your domain, it first checks for an MTA-STS DNS record at _mta-sts.yourdomain.com. If found, it fetches the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The policy specifies which MX hosts are authorized and whether to enforce TLS. In "testing" mode, the sender delivers the email regardless but reports failures. In "enforce" mode, the sender refuses to deliver if a secure connection cannot be established.
Implementation steps
Start with "testing" mode to identify any TLS issues without blocking legitimate email. Set up the TLS-RPT record so you receive reports about connection failures. Monitor the reports for 2-4 weeks. If no issues appear, switch to "enforce" mode. You will need an SSL certificate for the mta-sts subdomain, which most certificate providers (including Let's Encrypt) support.
Part of a complete email security setup
MTA-STS protects inbound email encryption. Pair it with SPF, DKIM, and DMARC to protect against spoofing and phishing. Together these protocols form a comprehensive email security framework. Use our SPF checker, DKIM checker, and DMARC checker to verify your existing authentication setup before adding MTA-STS.
After deploying MTA-STS, check your overall email security posture with the domain reputation checker. A complete setup with SPF, DKIM, DMARC, and MTA-STS gives you the highest possible security rating.
Frequently Asked Questions
More Free Tools
View all toolsSpam Complaint Rate Calculator
Calculate your spam complaint rate and check it against Google Postmaster Tools, Yahoo, and industry thresholds. See if your sending practices are safe or at risk of deliverability issues.
Fake Email Generator for Testing
Generate random, realistic-looking email addresses for development and testing. Customize format, domain, and quantity. Never use real emails in test environments again.
Email Sign-Off Generator
Browse 40+ professional email sign-offs organized by tone and context. Filter by professional, friendly, casual, grateful, or creative. Includes situation-specific recommendations and a random picker for when you're stuck.
Customer Acquisition Cost Calculator
Calculate your Customer Acquisition Cost (CAC) and LTV:CAC ratio. Break down marketing vs. sales spend and benchmark against industry standards.