Force receiving mail servers to use TLS when delivering to your domain — preventing downgrade attacks.
⚡ Monitored by EmailExacto IntelligenceMTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) lets domain owners tell sending mail servers to always use TLS when delivering email to their domain — and to reject delivery if valid TLS cannot be established. It prevents man-in-the-middle attacks that downgrade SMTP connections from encrypted to plaintext.
MTA-STS requires two components: a DNS TXT record announcing support, and a policy file hosted at a well-known HTTPS URL.
Modes: testing (report only), enforce (require TLS, reject on failure), none (disable). Change the id value in DNS whenever you update the policy file.
Without MTA-STS, an attacker between a sending server and yours could strip TLS, reading or modifying email in transit. MTA-STS makes this impossible by telling senders to refuse delivery if TLS isn't available. MTA-STS contributes 8 points to your EmailExacto deliverability score and signals mature infrastructure to security auditors.
EmailExacto Intelligence monitors your MTA-STS DNS record daily and can host your policy file for Intelligence subscribers.
✓Start with mode: testing to collect TLS-RPT reports before switching to enforce.
✓Update the id value in DNS whenever you change your policy file.
✓List all valid MX hostnames in your policy — any MX not listed causes delivery failure in enforce mode.
✓Ensure MX hostnames have valid TLS certificates before setting enforce mode.
✓Pair with TLS-RPT to receive reports on TLS delivery failures.
✓Set max_age to at least 86400 (1 day) in production.
Expert-written training delivered to your inbox every Tuesday. No spam. Unsubscribe anytime.
Join thousands of senders building better email habits.