MTA-STS checker
Validate your MTA-STS DNS record and policy file for enforced TLS mail.
The MTA-STS checker verifies that a domain publishes a valid policy advertising encrypted, authenticated inbound mail delivery. It checks the _mta-sts DNS record, fetches the policy file from the well-known HTTPS path, and confirms the mode, MX entries, and version line up. A working policy in enforce mode tells sending servers to require TLS and reject delivery if a secure connection cannot be established. Since the policy lives in both DNS and a hosted file, it's worth confirming both stay in sync.
Frequently asked questions
What's the difference between testing and enforce mode?
Testing mode reports failures without blocking delivery, while enforce mode actually rejects mail that cannot be delivered over verified TLS. Most domains start in testing before moving to enforce.
Why must the policy be served over HTTPS?
The policy file lives at a well-known HTTPS URL so sending servers can fetch it securely; an unreachable or non-HTTPS file invalidates the policy.
What does MTA-STS protect against?
It blocks downgrade and man-in-the-middle attacks on inbound mail by requiring TLS, closing the gap where an attacker strips encryption from an SMTP connection.
How is the DNS record different from the policy file?
The _mta-sts TXT record holds a version and an id that changes when you update the policy; the actual rules (mode, MX, max_age) live in the HTTPS policy file. Both must be present and agree.
Can this be monitored automatically?
The record and file can drift apart over time. SJ Monitor watches your domains continuously so you hear about uptime and certificate problems that would also break MTA-STS.
More Email & deliverability tools tools
Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.