Email
LIVE
MTA-STS Lookup
Check the MTA-STS policy for secure SMTP connections
usage:
mta-sts --domain What is MTA-STS Lookup?
MTA-STS Lookup verifies the MTA-STS (Mail Transfer Agent Strict Transport Security) policy of a domain. MTA-STS enforces the use of encrypted TLS connections for email transfer between servers, preventing man-in-the-middle attacks and SMTP encryption downgrade.
Frequently Asked Questions
What is MTA-STS? +
MTA-STS is a mechanism that allows domains to declare support for encrypted SMTP connections (TLS) and instruct sending servers to refuse delivery if a secure TLS connection cannot be established.
How does MTA-STS work? +
The domain publishes a DNS TXT record at _mta-sts.domain.com and a JSON policy at https://mta-sts.domain.com/.well-known/mta-sts.txt. Sending servers download the policy and apply the TLS constraints.
What is the difference between MTA-STS and STARTTLS? +
STARTTLS is opportunistic: if it fails, the server proceeds in plain text. MTA-STS is strict: if TLS is not available or the certificate is invalid, the email is not delivered, preventing downgrade attacks.
What are the MTA-STS modes? +
Two modes: testing (reports problems without blocking delivery) and enforce (blocks delivery if TLS fails). Start with testing to identify issues before switching to enforce.
Is MTA-STS supported by major providers? +
Yes, Gmail, Outlook/Microsoft 365, Yahoo, and other major providers support MTA-STS both as senders and recipients. Support is constantly growing.
How does MTA-STS relate to TLS-RPT? +
TLS-RPT (TLS Reporting) complements MTA-STS by providing reports on TLS failures. When you activate MTA-STS, also configure TLS-RPT to receive notifications about connection issues.