Guide
MTA-STS: How to Force TLS Encryption on Incoming Email
MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers they must use TLS when delivering email to your domain — and must verify your certificate. Without it, a network attacker can silently downgrade email connections to plain text.
Port 25 STARTTLS can be stripped in transit unless you publish a pinned policy over HTTPS. MTA-STS does that. Pair it with DMARC and deliverability hygiene. After you publish TXT, confirm with DNS Preflight.
What MTA-STS Does
When a mail server delivers email to you, it connects on port 25. Without MTA-STS, that connection can be downgraded to unencrypted by a network attacker — even if your server supports TLS.
MTA-STS prevents this. It tells senders:
- Always use TLS for this domain
- Verify the certificate matches
- If TLS fails — don't deliver, don't downgrade
How MTA-STS Works
Two components are required:
- A DNS TXT record at
_mta-sts.yourdomain.com - A policy file hosted at
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
Sending servers fetch the policy file over HTTPS before connecting. If the file says enforce — they use TLS or refuse to deliver.
Step 1 — Create the Policy File
Host this file at:
Start with mode: testing — same as DMARC p=none. You get TLS-RPT reports but no enforcement. Switch to enforce after confirming no failures.
Policy file fields:
version:alwaysSTSv1mode:enforce(ortestingto start)mx:your MX hostnames — list each onemax_age:how long senders cache the policy (86400= 24 hours,604800= 7 days)
Step 2 — Add the DNS TXT Record
The id= value must change every time you update the policy file. Use a timestamp format: YYYYMMDDHHMMSS.
Senders check if the id= has changed since they last fetched the policy. If it has — they re-fetch. If not — they use the cached version.
Step 3 — Add TLS-RPT for Reporting
TLS-RPT sends you reports when senders have TLS failures — similar to DMARC aggregate reports.
Add this alongside your MTA-STS record. Reports show you if any senders are failing TLS — before you switch to enforce mode.
Step 4 — Switch to Enforce
After 1-2 weeks of testing with no TLS-RPT failures — update the policy file:
Then update the id= in your DNS TXT record to force senders to re-fetch:
Hosting the Policy File
The policy file must be served over HTTPS at exactly this path:
Options:
- Cloudflare Pages — free, easy
- GitHub Pages — free
- Nginx on your mail server
The subdomain mta-sts.yourdomain.com must have a valid TLS certificate. See also BIMI for outbound brand indicators.
Verify Your Setup
Check the policy file is reachable:
Check the DNS record:
Tool: After you publish TXT records, confirm they resolve the way you think.
Step by step
FAQ
What is MTA-STS?
A standard that forces sending mail servers to use TLS when delivering email to your domain — and verify your certificate. Prevents silent TLS downgrade attacks.
Do I need MTA-STS if I already have DMARC?
They solve different problems. DMARC authenticates the sender. MTA-STS encrypts the connection. Both are recommended for full email security.
What is the difference between testing and enforce mode?
Testing mode collects TLS-RPT reports but doesn't block unencrypted delivery. Enforce mode rejects delivery if TLS fails. Start with testing, move to enforce after a clean week.
What is TLS-RPT?
TLS Reporting — sends you daily reports when senders experience TLS failures delivering to your domain. Add the _smtp._tls TXT record to receive them.
How do I update my MTA-STS policy?
Edit the policy file and update the id= value in your DNS TXT record to a new timestamp. Senders re-fetch the policy when they see the id= has changed.