MTA-STS Checker

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that allows mail server operators to declare their ability to receive TLS-secured SMTP connections and to specify whether sending servers should refuse to deliver email to MX hosts that do not offer TLS. It works through two components: a DNS TXT record at _mta-sts.{yourdomain} that signals the policy exists, and a policy file hosted at https://mta-sts.{yourdomain}/.well-known/mta-sts.txt that contains the actual policy including the MX patterns and mode. Unlike STARTTLS alone, MTA-STS prevents downgrade attacks by requiring that the receiving server presents a valid certificate.

MTA-STS has three modes: enforce, testing, and none. In enforce mode, sending mail servers must establish a TLS connection with a valid certificate to your MX hosts — if they cannot, they will refuse to deliver the email and the message will be deferred or bounced. This gives you strong protection against man-in-the-middle attacks on inbound email. In testing mode, the policy is applied but failures are only reported (via TLS-RPT) rather than causing delivery failures — this is ideal for gradual rollout. In none mode the policy effectively does nothing and exists only to signal that the domain has considered MTA-STS. You should move from testing to enforce only after reviewing TLS-RPT reports and confirming all legitimate senders can connect successfully.

This error means the mx: patterns listed in your MTA-STS policy file at https://mta-sts.{yourdomain}/.well-known/mta-sts.txt do not match the actual MX hostnames returned by DNS for your domain. For example, if your MX record points to mail.example.com but your policy file lists mx: smtp.example.com, inbound senders using MTA-STS will reject delivery. To fix this, update the mx: lines in your policy file to match each of your actual MX hostnames — you can use wildcards like mx: *.example.com to cover multiple hosts under the same parent domain. After updating the policy file, you must also increment the id= value in your DNS TXT record at _mta-sts.{yourdomain} so that caching mail servers know to fetch the updated policy.

DNS propagation for the _mta-sts TXT record typically takes between a few minutes and 48 hours depending on the TTL (time-to-live) set on the record and your DNS provider's update speed. However, MTA-STS policies are cached by receiving mail servers for the duration specified by the max_age field in your policy file — commonly set to 86400 (1 day) or 604800 (7 days). This means that even after you update your DNS record and policy file, remote servers that have already cached your old policy will continue using it until the cache expires. To speed up rollout during initial setup or after a change, set a lower max_age first, wait for the shorter cache to expire, then increase it once the new policy is confirmed working.