Menu
Free tool

MTA-STS Generator

Set your MX hosts, mode, and max age, then copy both the DNS TXT record and the HTTPS policy file you need to publish.

A unique identifier for this policy version. Update it whenever the policy changes so receivers refresh their cached copy.

Mail is only delivered to MX hosts that pass the policy. The strongest protection — use once testing confirms your hosts are correct.

How long receivers cache this policy, in seconds. A week (604800) is a common value.

One MX hostname per line (or comma-separated). Must match the hosts in your MX records. Wildcards like *.example.com are allowed.

Record

v=STSv1; id=20260612T175838

Policy file

version: STSv1
mode: enforce
max_age: 604800

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that allows mail service providers to declare their ability to receive TLS-secured connections. It prevents downgrade attacks and ensures email is transmitted over encrypted connections.

MTA-STS needs two things published together: a DNS TXT record at _mta-sts.yourdomain.com and a policy file served over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This generator produces both at once. Start in mode: testing to collect TLS-RPT reports without affecting delivery, then switch to mode: enforce once your MX hosts present valid TLS certificates. Already publishing one? Check it first to see what is live.

1. DNS TXT Record

Published at

v=STSv1; id=20240101T000000

2. HTTPS Policy File

Hosted at

version: STSv1 mode: enforce mx: mail.example.com max_age: 604800

MTA-STS Policy Modes

mode: enforce

Sending servers must use TLS. Emails not delivered if TLS fails.

mode: testing

Failures are reported via TLS-RPT but emails are still delivered.

mode: none

MTA-STS is disabled. Equivalent to not having it.