Mail Transfer Agent Strict Transport Security (MTA-STS)

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Directive	Value	Copy
{{ row.label }}	{{ row.value }}

Check	Result	Copy
{{ c.label }}	Pass Fail

Field	Value	Copy
{{ row.label }}	{{ row.value }}

MTA STS policies tell other mail servers to deliver messages over secure connections and to refuse delivery when policy rules cannot be met. A clear status helps avoid downgrade attacks and misrouted mail, and it gives teams a fast way to spot gaps in configuration.

You provide a domain and the checker reads the public text record and the published policy, then summarizes what is present and what is missing. It reports the policy version and mode, the cache window, any listed mail exchangers, and whether the certificate is still valid.

For example, a domain with the current version in enforce mode, a cache window of 90 days, and a healthy certificate will score well, while a soon expiring certificate or a missing id token will lower the result. Results guide fixes and do not change settings by themselves.

Use consistent domains, keep inputs simple, and repeat checks after certificate renewals. Choose this when you want a quick configuration read, not a full mail delivery test.

Technical Details:

The validator inspects the public DNS text record for the dedicated host and the policy file served over HTTPS on the policy host. It extracts the version string, a unique identifier, the operating mode, the cache lifetime in seconds, and the list of mail exchanger hostnames.

Results are summarized as individual pass or fail checks and combined into a percentage score. The score is a simple fraction of checks that passed, rounded to a whole percent for easy comparison across runs.

Modes are interpreted as enforce, testing, or none. A cache lifetime outside the accepted window and a missing mail exchanger list lower confidence. Certificate dates are read from the TLS server certificate used to serve the policy file and converted into the number of days remaining.

\begin{array}{l} S & = & round (100 \times \frac{p}{n}) \end{array}

Symbols and units used in the score formula
Symbol	Meaning	Unit/Datatype	Source
S	Validation score	%	Derived
p	Number of checks that passed	integer	Derived
n	Total checks evaluated	integer	Constant (12)

Worked example:

\begin{array}{l} p & = & 10 \\ n & = & 12 \\ S & = & round (100 \times \frac{10}{12}) = 83 \end{array}

Interpretation: 83% indicates most elements are correctly published; remaining failures should be addressed.

Checks evaluated

TXT record present for the dedicated host.
TXT record declares version as stsv1.
TXT record includes a non‑empty id token.
Policy is fetched over HTTPS.
Policy version is stsv1.
Policy mode is one of enforce, testing, none.
max_age is present and positive.
max_age ≥ 86 400 s.
max_age ≤ 31 557 600 s.
At least one mx directive is present.
TLS certificate is currently valid.
Certificate has at least 7 days remaining.

Validation & bounds extracted from code

Validation rules and bounds
Field	Type	Min	Max	Step/Pattern	Error Text
Domain	string	—	—	hostname characters `[A-Za-z0-9.-]+`	“Domain is required.”
TXT host	derived	—	—	`_mta-sts.<domain>`	—
Policy URL	derived	—	—	`https://mta-sts.<domain>/.well-known/mta-sts.txt`	—
Policy size	bytes	0	65 536	truncate on overflow	“Policy response exceeded size limit.”
HTTPS redirects	count	0	4	stop at limit	“Too many redirects while fetching the policy.”
Request timeout	milliseconds	100	10 000	default 6 000	“Unable to fetch MTA-STS policy.”
TLS protocol	version	1.2	—	reject lower versions	HTTPS required
Mode values	enum	—	—	`enforce` \| `testing` \| `none`	invalid mode fails
`max_age`	seconds	86 400	31 557 600	integer	outside window fails

Units, precision & display

Lookup and fetch times show rounded milliseconds.
TTL shows whole seconds; unknown values display as “—”.
max_age shows seconds; when divisible by 86 400 it also shows days.
Hours display with one decimal, trimmed when not needed.
Score rounds to the nearest whole percent.

I/O formats & parsing

TXT tokens are parsed as key–value pairs split on semicolons; keys are case‑insensitive.
Policy lines are parsed as key: value pairs; comments beginning with # are ignored.
The first TXT answer is treated as the primary record; additional answers are shown separately.

Networking & storage behavior

DNS records are queried via DNS‑over‑HTTPS.
The policy file is fetched over HTTPS; TLS certificate details are read from the connection.
No persistent storage is used by the page; results can be copied or downloaded by the user.

Security considerations

Domain input is sanitized to hostname characters before use.
Policy retrieval requires TLS 1.2 or higher and a trusted certificate.
Results indicate configuration shape, not mail deliverability.

Assumptions & limitations

Heads‑up The checker does not probe MX servers or start TLS handshakes.
Mode validity is syntactic; it does not test policy enforcement in transit.
Heads‑up A valid structure does not guarantee messages will be accepted.
Only the presence of at least one mx directive is checked.
Certificate freshness uses days until “not after,” not CA revocation status.
DNS TTL and caching can delay record updates.
Multiple TXT answers are displayed but not ranked beyond first seen.
Large or redirected policies beyond limits are not processed.

Edge cases & error sources

Malformed domains, including spaces or unsupported characters.
TXT lookup timeouts or DNS errors.
Empty TXT records or missing version and id tokens.
Policy responses exceeding 65 536 bytes.
Redirect loops or more than 4 redirects.
Untrusted or expired TLS certificates on the policy host.
Clock skew affecting “days remaining.”
Non‑ASCII policy lines or unusual whitespace.
Multiple identical directives where only the first is used.
Network blockers preventing DNS‑over‑HTTPS or HTTPS fetches.

Scientific & standards backing

Mail transfer security policy is defined by community standards for SMTP policy publication and DNS TXT usage; certificate handling aligns with widely adopted X.509 practices.

Privacy & compliance

The page sends the domain you enter to public DNS and policy endpoints to retrieve records and the policy file. No credentials are requested. There is no server‑side database; requests are processed on demand.

How‑to · Step‑by‑Step Guide

Validate a domain’s policy posture and read the results clearly.

Enter the domain you want to check.
Start validation and wait for the TXT and policy fetch to complete.
Review pass or fail checks and the policy parameters.
Inspect certificate dates and subject details.
Copy or download results for documentation or ticketing.

Example: Enter example.com, confirm stsv1 in both locations, a mode of enforce, a max_age of 86 400 s or higher, at least one mx line, and a certificate with more than 7 days left.

Pro tip: rotate the TXT id to force cache refresh after policy updates.

FAQ

Is my data stored?

The page sends your domain to retrieve records and the policy, then renders results. There is no persistent database in this app, though endpoints may keep routine logs.

Avoid entering anything other than domains.

How accurate is the score?

It reflects how many checks passed. It is a configuration summary and not a guarantee of delivery. Missing enforcement, out‑of‑window cache, or a near‑expiry certificate will reduce it.

What units are used?

Times are milliseconds for lookups and fetches and seconds for TTL and max_age. The score is a whole percent.

Can I use it offline?

No. It needs DNS and HTTPS access to read the TXT record, fetch the policy, and inspect the certificate.

Does it validate MX servers?

It checks for the presence of mx lines in the policy. It does not probe mail servers or compare against live MX records.

What does a “borderline” result mean?

A valid certificate with fewer than 7 days left will fail freshness while still passing validity. Update the certificate or revisit the policy window soon.

How do I validate an MTA‑STS policy?

Enter the domain, run the check, and confirm stsv1 in TXT and policy, a valid mode, a window within bounds, at least one mx, and a healthy certificate.

Is there a cost or license?

No account is required. Use at your discretion within your organization’s policies.

Troubleshooting

“TXT lookup failed.” — check connectivity and the host record.
“Policy fetch failed.” — ensure the policy host serves the file over HTTPS.
“Too many redirects.” — correct redirect rules on the policy host.
“Policy response exceeded size limit.” — trim comments or directives.
“Certificate expired.” — renew the certificate on the policy host.
Clipboard copy blocked — grant permission or download instead.
Unexpected mode — set mode to enforce, testing, or none.

An expired or untrusted certificate on the policy host will fail validation and should be replaced immediately.

Advanced Tips

Tip Prefer a max_age that balances cache stability with update agility.
Tip Use testing mode during staged rollouts, then switch to enforce.
Tip Rotate the TXT id after policy edits to invalidate caches.
Tip Keep the policy concise; large files slow retrieval and risk hitting size limits.
Tip Align certificate names with the policy host and include needed Subject Alternative Names.
Tip Re‑check after DNS or certificate changes to confirm propagation.

Glossary

MTA‑STS: Policy for securing SMTP delivery using HTTPS‑hosted rules.
TXT record: DNS text entry that publishes version and identifier.
STSv1: The policy and TXT version string used by validators.
Mode: Operating state: enforce, testing, or none.
max_age: Cache lifetime for the policy in seconds.
MX: Mail exchanger hosts authorized by the policy.
TLS certificate: X.509 certificate used by the policy host’s HTTPS service.
SAN: Subject Alternative Names listed on a certificate.
TTL: Time to live for DNS answers in seconds.
Days remaining: Computed days until the certificate’s not‑after date.