MTA-STS Generator
Set your MX hosts, mode, and max age, then copy both the DNS TXT record and the HTTPS policy file you need to publish.
A unique identifier for this policy version. Update it whenever the policy changes so receivers refresh their cached copy.
Mail is only delivered to MX hosts that pass the policy. The strongest protection — use once testing confirms your hosts are correct.
How long receivers cache this policy, in seconds. A week (604800) is a common value.
One MX hostname per line (or comma-separated). Must match the hosts in your MX records. Wildcards like *.example.com are allowed.
Record
v=STSv1; id=20260612T175838
Policy file
version: STSv1 mode: enforce max_age: 604800
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that allows mail service providers to declare their ability to receive TLS-secured connections. It prevents downgrade attacks and ensures email is transmitted over encrypted connections.
MTA-STS needs two things published together: a DNS TXT record at _mta-sts.yourdomain.com and a policy file served over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This generator produces both at once. Start in mode: testing to collect TLS-RPT reports without affecting delivery, then switch to mode: enforce once your MX hosts present valid TLS certificates. Already publishing one? Check it first to see what is live.
1. DNS TXT Record
Published at
v=STSv1; id=20240101T000000 2. HTTPS Policy File
Hosted at
version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800 MTA-STS Policy Modes
mode: enforce Sending servers must use TLS. Emails not delivered if TLS fails.
mode: testing Failures are reported via TLS-RPT but emails are still delivered.
mode: none MTA-STS is disabled. Equivalent to not having it.