Back to Top
Catch Us at RSAC 2026 – Live Demos, Expert Tips & More!
Contact Us
Get Support Sign In
Home / Tools / MTA-STS Checker

MTA-STS Checker

Check your domain’s MTA-STS record and policy for secure email delivery.

Recognized as a Leader by Experts

G2 Crowd - EasyDMARC Reviews
4.8 4.8 out of 5 stars G2 rating
Easiest Admin Easiest To Do Business With Leader Leader in Mid-Market DMARC on G2 Momentum Leader SourceForge Top Performer Award EasyDMARC awarded the Channel Program Award Top DMARC Solution on Expert Insights Email Security Leader on Expert Insights Category Leader

What Is MTA-STS?

Mail Transfer Agent Strict Transport Security (MTA-STS) is an email security standard that helps protect email delivery by enforcing encrypted connections between mail servers. It allows domain owners to publish a policy that tells sending mail servers how to securely deliver email and what to do if a secure connection can’t be established.

By defining these rules in advance, MTA-STS reduces the risk of email interception and downgrade attacks during message transmission.

MTA-STS Record Checker

How MTA-STS Works

MTA-STS works by publishing a policy that tells sending mail servers how to securely deliver email to your domain. When an email is sent, the sending server first checks whether the recipient domain supports MTA-STS.

If MTA-STS is detected, the sender retrieves the policy file over HTTPS and validates its contents. Based on that policy, the sending server enforces encrypted delivery using TLS and verifies that the destination mail servers match the allowed MX hosts. If a secure connection can’t be established and the policy is set to enforcement mode, the message is deferred and not delivered over an insecure connection.

How MTA-STS Works

Who Needs MTA-STS?

MTA-STS is essential for organizations that rely on email for secure communication and want to reduce the risk of interception during message delivery. It’s especially valuable for domains handling sensitive data, customer communications, or high email volumes.

By adopting MTA-STS, organizations gain stronger control over how emails are delivered to their domain, helping prevent downgrade and man-in-the-middle attacks while reinforcing trust with sending mail servers. This is why many security teams consider the importance of MTA-STS a key part of a modern email security strategy.

How to Check MTA-STS

To run an MTA-STS check, enter your domain in the Domain field and click the “Check MTA-STS” button.

Once initiated, the MTA-STS test automatically reads your domain’s record and policy file and performs the following checks:

  • Confirms that the MTA-STS TXT record is published in DNS.
  • Verifies that the record syntax matches the MTA-STS specification.
  • Checks whether the MTA-STS policy file is available at the required URL.
  • Validates the policy content to ensure it complies with the standard.

This MTA-STS lookup helps you quickly identify misconfigurations and understand whether your domain is ready to enforce secure email delivery.

How to Check MTA-STS

Frequently
Asked Questions

Have more questions?
Ask via Live Chat or Contact Us

What does the MTA-STS checker test?

The MTA-STS checker tests whether your domain’s MTA-STS setup is published and configured correctly according to the MTA-STS Standard. It checks for the presence of the required DNS TXT record, confirms that the record follows the correct syntax, and verifies that a valid MTA-STS policy file is accessible at the expected HTTPS location. The tool also validates the policy content to ensure it aligns with specification requirements, helping you understand whether your domain is ready to support secure, encrypted email delivery.

Yes, the MTA-STS checker validates both critical components of an MTA-STS setup: the DNS TXT record and the policy file. First, it checks whether the MTA-STS record is published in DNS and correctly formatted. Then, it retrieves the policy file over HTTPS and verifies its availability and contents. Since both elements are required for MTA-STS to function properly, checking them together helps identify incomplete or misaligned configurations that could otherwise go unnoticed.

A failed MTA-STS check usually means that one or more required elements are missing, misconfigured, or not accessible. This could include an incorrect DNS record, an unreachable policy file, invalid syntax, or mismatched settings between the record and the policy. A failure does not mean your email is broken or immediately at risk; it simply indicates that MTA-STS cannot be reliably enforced yet. Addressing these issues ensures that sending servers can securely deliver email to your domain.

Absolutely. The MTA-STS checker is especially useful before moving to enforcement mode. Many domains start with a non-enforcing policy to confirm that records and policies are published correctly and that sending servers can retrieve them without issues. Running checks at this stage helps you identify configuration problems early, reduce the risk of delivery disruptions, and prepare for a smooth transition to enforcement once you’re confident your setup is working as intended.

It’s a good practice to run an MTA-STS check whenever you make changes to your email infrastructure, update your policy file, or modify DNS records. Regular checks are also helpful after mail server migrations, certificate renewals, or policy updates. Even without changes, periodic checks can help ensure that your configuration remains accessible and compliant over time, especially since external factors like certificate issues or hosting changes can impact policy availability.

When configured correctly, MTA-STS enforcement helps protect email delivery rather than harm it. However, once enforcement is enabled, emails that cannot be delivered securely over TLS may be deferred or rejected by sending servers. This is why testing and monitoring before enforcement is important. Using an MTA-STS checker allows you to confirm that your records and policy are valid, reducing the risk of unexpected delivery issues when enforcement is enabled.

No, technical expertise is not required to use the MTA-STS checker. The tool is designed to be simple and accessible, even for users without deep email security knowledge. You only need to enter your domain name and run the check. The results clearly indicate whether your MTA-STS records and policy are set up correctly, helping both technical and non-technical users understand their domain’s status without manual lookups or complex configuration steps.

Explore All EasyDMARC Tools To Improve Your Domain
Security and Email Deliverability

Lookup tools

DMARC Check
SPF Lookup
DKIM Lookup
BIMI Lookup
MTA-STS Lookup
TLS-RPT Lookup

Generator tools

DMARC Generator
SPF Generator
DKIM Generator
BIMI Generator
MTA-STS Generator
TLS-RPT Generator

Other tools

SPF Validator
BIMI Converter
All Tools

Join the 83,500+ companies and 175,000+ domains secured with us

Make Your DMARC Journey Simple With EasyDMARC

GET STARTED
CONTACT US
This website uses Cookies to provide a better experience. You have the right to choose whether or not to accept Cookies. See our Cookie Policy for details.