MTA-STS Policy Generator
Generate an MTA-STS policy file and DNS records to enforce TLS encryption for inbound email. Includes the policy file, MTA-STS TXT record, and TLS-RPT reporting record.
Reports failures but still delivers email. Start with this mode to identify issues before enforcing.
Use wildcards like *.google.com for Google Workspace, or *.outlook.com for Microsoft 365.
Cache duration: 7 days. Recommended: 604800 (7 days) for testing, 86400-31557600 for production.
Email address to receive TLS-RPT reports about delivery failures.
Like this tool? Try Sequenzy for free
AI-powered email marketing with Stripe integration, automations, and built-in analytics.
About this tool
MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers that your domain requires encrypted TLS connections for email delivery. Without MTA-STS, an attacker could intercept the connection between mail servers and downgrade it from encrypted to plaintext, exposing email content. MTA-STS prevents this by publishing a policy that senders must verify before delivering email to your domain.
This generator creates the three components you need to deploy MTA-STS: the policy file that gets hosted on your web server, the DNS TXT record that advertises the policy, and the TLS-RPT record that lets senders report delivery failures to you.
How MTA-STS works
When a sending server wants to deliver email to your domain, it first checks for an MTA-STS DNS record at _mta-sts.yourdomain.com. If found, it fetches the policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The policy specifies which MX hosts are authorized and whether to enforce TLS. In "testing" mode, the sender delivers the email regardless but reports failures. In "enforce" mode, the sender refuses to deliver if a secure connection cannot be established.
Implementation steps
Start with "testing" mode to identify any TLS issues without blocking legitimate email. Set up the TLS-RPT record so you receive reports about connection failures. Monitor the reports for 2-4 weeks. If no issues appear, switch to "enforce" mode. You will need an SSL certificate for the mta-sts subdomain, which most certificate providers (including Let's Encrypt) support.
Part of a complete email security setup
MTA-STS protects inbound email encryption. Pair it with SPF, DKIM, and DMARC to protect against spoofing and phishing. Together these protocols form a comprehensive email security framework. Use our SPF checker, DKIM checker, and DMARC checker to verify your existing authentication setup before adding MTA-STS.
After deploying MTA-STS, check your overall email security posture with the domain reputation checker. A complete setup with SPF, DKIM, DMARC, and MTA-STS gives you the highest possible security rating.
Frequently Asked Questions
More Free Tools
View all toolsUnsubscribe Rate Calculator
Calculate your email unsubscribe rate and spam complaint rate with industry benchmarks. See how your rates compare to your industry, track list impact over time, and get actionable recommendations to reduce churn.
Email Bounce Rate Calculator
Calculate your email bounce rate and compare it against industry benchmarks. Break down hard vs soft bounces and get actionable recommendations to improve deliverability.
CSS Inliner for Email
Convert CSS stylesheets to inline styles for maximum email client compatibility. Paste your HTML with embedded styles or add external CSS, and get email-ready HTML with all styles inlined.
Email Send Time Optimizer
Find the best time to send emails based on your industry and audience type. Get data-backed recommendations for B2B SaaS, e-commerce, newsletters, and more with tips for each email type.