Loading...
WebShield Audit
MTA-STS Policy Checker
Check your SMTP TLS policy the way receiving MTAs do.
Hands off to the full WebShield scanner, which covers this check alongside every other header, DNS and email auth probe.
Opportunistic TLS for email is exactly as weak as it sounds: a man-in-the-middle can strip STARTTLS and receiving servers will happily fall back to plaintext. MTA-STS (RFC 8461) fixes this by letting the receiving domain publish an HTTPS-backed policy that declares its MX hosts and requires TLS. WebShield fetches the `_mta-sts` DNS record, resolves the policy at `https://mta-sts.<domain>/.well-known/mta-sts.txt`, and validates every field against the spec.
What this tool checks
- _mta-sts.<domain> TXT record with v=STSv1 and a valid id
- Policy file reachable at https://mta-sts.<domain>/.well-known/mta-sts.txt
- HTTPS certificate on mta-sts.<domain> matches the domain
- Policy version (STSv1)
- mode field: enforce, testing, or none
- mx: entries matching the published MX records
- max_age between 86400 and 31557600 seconds
- Companion TLS-RPT record (_smtp._tls.<domain>) present
Why it matters
Without MTA-STS, an attacker who can MITM SMTP between two mail servers can force plaintext delivery just by stripping STARTTLS from the initial banner. MTA-STS in enforce mode tells conformant senders (Gmail, Outlook, and growing) to refuse delivery rather than fall back. Combined with TLS-RPT, you also get forensic reports when something breaks.
How WebShield tests this
The scanner does DNS first - looking up _mta-sts.<domain> TXT for v=STSv1 and the policy id. It then fetches https://mta-sts.<domain>/.well-known/mta-sts.txt over HTTPS with strict certificate validation. The policy body is parsed line-by-line and each field is checked against RFC 8461. The MX entries are cross-referenced against the domain's actual MX records.
Paste-ready fixes
DNS (_mta-sts TXT)
_mta-sts.example.com. IN TXT "v=STSv1; id=20260417T000000Z"Policy file (mta-sts.txt)
version: STSv1
mode: enforce
mx: mx1.example.com
mx: mx2.example.com
mx: *.mail.example.com
max_age: 604800Nginx (mta-sts subdomain)
server {
listen 443 ssl http2;
server_name mta-sts.example.com;
ssl_certificate /etc/ssl/mta-sts/fullchain.pem;
ssl_certificate_key /etc/ssl/mta-sts/privkey.pem;
location = /.well-known/mta-sts.txt {
default_type text/plain;
alias /var/www/mta-sts/mta-sts.txt;
}
}Cloudflare Pages
1. Create a Pages project "mta-sts" serving /.well-known/mta-sts.txt
2. Add custom domain mta-sts.example.com
3. Cloudflare issues the edge certificate automatically
4. Publish the TXT record at _mta-sts.example.comFrequently asked
What is the difference between testing and enforce mode?
testing mode tells senders to evaluate the policy and emit TLS-RPT reports, but still deliver if the policy fails. enforce mode refuses delivery on policy failure. Roll out in testing for at least two weeks, watch the reports, then flip to enforce.
How is MTA-STS different from DANE?
DANE (TLSA records) pins the receiving certificate via DNSSEC-signed TLS records. MTA-STS uses HTTPS and the Web PKI instead, which does not require DNSSEC. Both achieve the same goal - preventing STARTTLS stripping - and the biggest email providers (Gmail, Microsoft) support MTA-STS widely; DANE adoption is concentrated in Europe.
Do I need to serve mta-sts.txt on a separate subdomain?
Yes. RFC 8461 requires the policy be at https://mta-sts.<domain>/.well-known/mta-sts.txt. It cannot be on the apex domain. A common pattern is a tiny static bucket or CDN edge serving that single file.
How often should I rotate the policy id?
Change the id in the TXT record every time you change the policy body. Senders cache on the id, so an updated body with the old id will be ignored. A timestamp-based id (YYYYMMDDTHHMMSSZ) is a convention that prevents collisions.
Related
Knowledge base
Missing DMARC Policy
High severity · Email
Knowledge base
Missing SPF Record
High severity · Email
Knowledge base
Missing DKIM Signature
High severity · Email
Deep guide
MTA-STS: A Complete Setup Guide (with TLS-RPT and DANE context)
Publish an HTTPS-backed SMTP TLS policy the way receiving MTAs expect to consume it.
Deep guide
DMARC: From p=none to p=reject, Safely
The alignment work between p=none and p=reject is the real DMARC project.
Tool
TLS-RPT Checker
See the TLS failures your mail server never tells you about.
Tool
BIMI Checker
Verify your brand logo will render in conformant inbox providers.
Tool
DNSSEC Checker
Follow the chain of trust from the root down to your zone.