MTA-STS Record Generator
Generate MTA-STS DNS records and policy files to enforce TLS encryption for inbound email delivery to your domain.
Start with "testing" to monitor before switching to "enforce".
How long senders should cache the policy. Default: 604800 (7 days).
One per line or comma-separated. Wildcards supported (e.g. *.example.com). Must match your MX records.
1. DNS TXT Record
TXT _mta-sts.example.comv=STSv1; id=20260327005005 Update the id value each time you change the policy file so that senders refresh their cached version.
2. Policy File
https://mta-sts.example.com/.well-known/mta-sts.txtversion: STSv1 mode: testing mx: mail.example.com max_age: 604800
This file must be served over HTTPS with a valid certificate at the URL above. Content type should be text/plain.
What is MTA-STS?
SMTP MTA Strict Transport Security
MTA-STS is a mechanism that allows mail service providers to declare their ability to receive TLS-secured SMTP connections. It tells sending servers that they must use TLS when delivering mail to your domain, preventing opportunistic downgrade attacks and DNS spoofing.
How to deploy
MTA-STS requires two components: a DNS TXT record at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The policy file must be served over HTTPS with a valid certificate. Start with "testing" mode to monitor before enforcing.
Why it matters
Without MTA-STS, SMTP connections between servers can be downgraded from TLS to plaintext by a man-in-the-middle attacker. MTA-STS works alongside DANE and TLS-RPT to provide a robust defense against eavesdropping and tampering of email in transit between mail servers.
Start sending in minutes.
3,000 emails/month on the free tier. No credit card, no commitment.