Check if a domain has MTA-STS (Mail Transfer Agent Strict Transport Security) configured. MTA-STS enforces TLS encryption for email in transit.
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that enables mail servers to declare their ability to receive TLS-secured connections and specify how sending MTAs should verify certificates.
MTA-STS protects against man-in-the-middle attacks and downgrade attacks where an attacker could intercept emails by forcing connections to use unencrypted channels.
MTA-STS requires a DNS TXT record at _mta-sts.domain.com and a policy file hosted at https://mta-sts.domain.com/.well-known/mta-sts.txt
DNS TXT Record:
_mta-sts.example.com TXT "v=STSv1; id=20231201120000Z"Policy File:
version: STSv1 mode: enforce mx: mail.example.com mx: *.mail.example.com max_age: 604800
Pro Tip: Start with mode: testing before switching to enforce. This allows you to monitor failures without impacting email delivery. Use our Domain Health Check for comprehensive email security analysis.