TXT
TXT Record — MTA-STS
MTA-STS prevents email from being delivered over unencrypted connections. Learn the DNS TXT record, the policy file, and how to deploy it.
Record Type
TXT
Category
Authentication (TXT)
Authentication (TXT)
RFC
RFC 8461
RFC 8461
Email Relevant
Yes
Yes
Format
TXT "v=STSv1; id=<policy-id>"
Example
TXT "v=STSv1; id=20240101120000Z"
TTL Guidance
3600 s; bump the id value and lower TTL before publishing a new policy
3600 s; bump the id value and lower TTL before publishing a new policy
💬 What This Record Does
MTA-STS (Mail Transfer Agent Strict Transport Security) prevents email from being delivered to your servers over unencrypted or invalid-TLS connections. It works in two parts: a TXT record at _mta-sts.example.com signals that a policy exists, and a policy file hosted at https://mta-sts.example.com/.well-known/mta-sts.txt describes the policy (enforce, testing, or none) and which MX hosts it applies to. Sending servers that support MTA-STS will refuse to deliver mail if they can't establish a valid TLS connection.
Common Uses
- Preventing SMTP downgrade attacks that strip TLS from inbound connections
- Enforcing TLS for inbound email alongside DANE/TLSA for defence in depth
- Meeting security compliance requirements for encrypted email transport
⚠️ Watch Out For
- The "enforce" policy will cause mail to bounce if your MX servers have invalid TLS certificates — test with "testing" mode first.
- The policy file must be served over HTTPS on the exact subdomain mta-sts.<yourdomain>.
- Pair with TLS-RPT (SMTP TLS Reporting) to receive alerts when delivery fails due to TLS issues.