Home › MTA-STS Checker

MTA-STS Checker

Verify the MTA-STS DNS record that forces inbound mail to use TLS.

Free • no sign-up • runs live in your browser.

What is MTA-STS?

MTA-STS (SMTP MTA Strict Transport Security) lets a domain require that incoming email be delivered over TLS, blocking attackers from stripping encryption (downgrade attacks). It has two parts: a DNS TXT record at _mta-sts.yourdomain.com, and a policy file served over HTTPS at mta-sts.yourdomain.com/.well-known/mta-sts.txt.

What this tool checks

This checker verifies the DNS TXT record (which a browser can read). The HTTPS policy file cannot be fetched cross-origin from a browser, so open it in a new tab to confirm it loads with the correct mode (testing/enforce).

Frequently asked questions

What's the difference between MTA-STS and DANE?

Both enforce SMTP TLS. DANE uses DNSSEC + TLSA records; MTA-STS uses an HTTPS policy file and works without DNSSEC. Many providers support MTA-STS more readily.

Should I start in testing or enforce mode?

Start with mode: testing to collect TLS-RPT reports without affecting delivery, then switch to enforce once you're confident.

Does MTA-STS need DNSSEC?

No — that's its main advantage over DANE. It relies on the HTTPS certificate of your policy host instead.

More tools

DNS Lookup
All record types
DNS Health Check
Full domain report
Email Security
SPF/DKIM/DMARC
WHOIS
Registration data
DNSSEC Check
Chain of trust
IP Lookup
Geo, ASN, rDNS