Free Tool · MTA-STS
MTA-STS Checker
Check whether a domain enforces TLS on inbound mail — its MTA-STS record, policy file, and TLS-RPT reporting.
Free · no signup · checks public DNS only ·
What the MTA-STS Checker checks
MTA-STS (SMTP MTA Strict Transport Security) lets your domain require that other mail servers use TLS encryption when delivering mail to you — closing the door on downgrade and man-in-the-middle attacks. It has two parts: a DNS TXT record at _mta-sts.yourdomain.com and a policy file served over HTTPS at mta-sts.yourdomain.com/.well-known/mta-sts.txt.
The policy’s mode matters: enforce rejects insecure delivery, testing only reports it, and none disables it. TLS-RPT (a record at _smtp._tls) is the companion that emails you reports when TLS delivery fails.
This checker reads your record, fetches and parses the live policy file, and confirms whether TLS-RPT reporting is set up.
Frequently asked questions
What is the difference between testing and enforce mode?+
In testing mode, TLS failures are reported but mail is still delivered. In enforce mode, a sending server must use valid TLS or the message is not delivered. Start in testing, then move to enforce.
Do I need both the DNS record and the policy file?+
Yes. The _mta-sts TXT record tells senders a policy exists (and its version id); the HTTPS policy file at mta-sts.<domain>/.well-known/mta-sts.txt contains the actual rules. Both must be present and consistent.
What is TLS-RPT?+
TLS Reporting (a _smtp._tls TXT record) gives senders an address to email daily reports about TLS delivery successes and failures — your early-warning system for MTA-STS problems.
Is this tool free?+
Yes — it reads your public record and fetches your public policy file; no signup.
More free tools