wiredepth
Run a check

Free tool · Mail transport

MTA-STS + TLS-RPT checker

Look up the MTA-STS DNS record, fetch the policy file from the well-known location, and check for a TLS-RPT reporting endpoint - all in one shot. No signup.

What this tool checks

We resolve _mta-sts.<domain> in DNS, parse the version + id tags, then fetch the policy file from https://mta-sts.<domain>/.well-known/mta-sts.txt. We validate the policy syntax (mode, mx, max_age) and the TLS posture of the policy host - the policy file MUST be served over HTTPS or the entire MTA-STS posture is invalid.

We also resolve _smtp._tls.<domain> for the TLS-RPT record (RFC 8460), which tells receivers where to send daily JSON reports about TLS negotiation failures and policy enforcement issues. Without a TLS-RPT endpoint you have no visibility into whether MTA-STS is actually working.

Mode interpretation matters: testing = log only, enforce = receivers reject mail that fails policy. Most domains start at testing for 30-90 days then graduate to enforce once TLS-RPT confirms zero failures.

How to read the results

Mode = testing: receivers will report failures via TLS-RPT but won't block. Safe place to soak.

Mode = enforce: receivers reject mail when MTA-STS policy can't be honored (no TLS, expired cert, MX mismatch). High value for spoofing prevention; non-zero risk if your MTA fleet has any cert-rotation / MX-update misses.

max_age in seconds. Common values: 86400 (1 day, aggressive), 604800 (1 week, normal), 31557600 (1 year, stable infra). Receivers cache the policy for this duration.

TLS-RPT missing: you're flying blind on transport encryption posture. Add at minimum: v=TLSRPTv1; rua=mailto:[email protected] and skim the daily reports for failures.

Frequently asked questions

Do I need MTA-STS if I have STARTTLS?

STARTTLS is opportunistic - downgradable by an attacker on the wire. MTA-STS pins the policy: the receiver knows your mail must use TLS, with a specific MX list, and rejects connections that don't comply. STARTTLS alone is vulnerable to MITM downgrade.

What is the difference between MTA-STS and DANE?

Both pin TLS posture for inbound mail. DANE uses DNSSEC + TLSA records; MTA-STS uses HTTPS-fetched policy + DNS pointer. DANE is more secure (cryptographic chain) but requires DNSSEC. MTA-STS works without DNSSEC but trusts the Web PKI for the policy host. Most large mail providers run both.

Why doesn't Gmail / Microsoft enforce MTA-STS for my outbound?

They do for outbound. The check here is your INBOUND posture - whether OTHER senders honor your published policy when sending TO you. Big senders (Gmail, Yahoo, Microsoft, Apple) all honor MTA-STS for outbound to you.

Should I publish testing or enforce?

Start at testing for 30-90 days while you watch TLS-RPT reports. Once reports show zero TLS failures across your real receiver volume, switch to enforce. Skipping the testing soak is how you wake up to "our customer success team can't receive emails from $partner anymore."

Do I need MTA-STS for non-mail domains?

No - if the domain has no MX records (purely a website), skip MTA-STS. There is no mail flow to protect.

Related free tools

DMARC analyzer

Authentication posture; pairs with MTA-STS.

DNS health checker

DNSSEC, CAA, MX hygiene.

TLS / SSL checker

TLS posture on web; same hygiene applies to MX.

SPF flattener

Stay under the 10-lookup limit.