Free DNS utility

Build an MTA-STS policy candidate

Draft the _mta-sts TXT record, HTTPS policy file, and TLS-RPT reporting TXT value your mail administrator can review before transport-security enforcement.

Scan this policy before enforcing Request $49 audit

MTA-STS policy builder

Generate DNS and HTTPS policy text

DomainMX hosts or patterns

Policy modeMax age days

TXT policy idTLS-RPT report email

Testing policy

Host file, then publish TXT

MTA-STS DNS TXT: _mta-sts.example.com TXT v=STSv1; id=202606030001
HTTPS policy URL: https://mta-sts.example.com/.well-known/mta-sts.txt
Policy file: version: STSv1 mode: testing mx: mx1.example.com mx: mx2.example.com max_age: 604800
TLS-RPT DNS TXT: _smtp._tls.example.com TXT v=TLSRPTv1; rua=mailto:tls-reports@example.com

Host the HTTPS policy file before publishing or changing the _mta-sts TXT id.
Confirm every listed MX host has a valid TLS certificate and matches your production inbound mail routing.
MTA-STS is a transport-security control; it does not replace SPF, DKIM, DMARC, consent, complaint monitoring, or reputation work.
Run the MTA-STS checker before enforcing this policy.

How to use the candidate

MTA-STS is a transport-security control for inbound mail delivery paths. It tells supporting senders where to fetch a policy and whether they should require valid TLS for the listed MX hosts.

Publish the HTTPS policy file at https://mta-sts.example.com/.well-known/mta-sts.txt before you change the DNS TXT id. Use TLS-RPT reporting while testing so the mail team can see delivery-path failures before enforcement.

This is not an inbox-placement, compliance, or uptime guarantee. Keep SPF, DKIM, DMARC, provider dashboards, and sender reputation in the same review.

MTA-STS generator FAQ

Should I start with testing mode?

Yes for most rollouts. Testing mode lets teams validate policy hosting, MX host coverage, TLS certificates, and TLS-RPT reporting before asking senders to enforce the policy.

Do I need both the DNS TXT record and HTTPS policy file?

Yes. The TXT record advertises a policy id, while the policy body is fetched over HTTPS from the mta-sts host under /.well-known/.

Does MTA-STS replace DMARC?

No. MTA-STS protects transport security for inbound delivery. DMARC, SPF, and DKIM handle sender authentication and alignment.