MTA-STS Validator

MTA-STS Summary

{{ score }}%

Mode: {{ policy.mode || '—' }} max_age: {{ maxAgeDisplay }} TXT TTL: {{ txtTTLDisplay }} Policy fetch: {{ policyTimeDisplay }} Cert: {{ certificateBadge }}

Domain:

Enter a mail domain such as example.com; URLs are normalized to the hostname.

Field	Value	Copy
{{ row.label }}	{{ row.value }}
No TXT record details available Run a lookup that returns MTA-STS TXT evidence before exporting this table.

Directive	Value	Copy
{{ row.label }}	{{ row.value }}
No policy parameters available A reachable policy file is needed before exporting this table.

Category	Check	Result	Detail	Copy
{{ c.category }}	{{ c.label }}	Pass Fail	{{ c.detail }}
No validation checks available Run an MTA-STS lookup before exporting the validation checks.

Field	Value	Copy
{{ row.label }}	{{ row.value }}
No certificate insights available Certificate data appears when the policy host responds over HTTPS.

Control	Score	Status	Evidence	Copy
{{ row.control }}	{{ row.score }}%	{{ row.status }}	{{ row.evidence }}
No control readiness rows available Run a lookup before exporting the readiness table.

Run an MTA-STS lookup to generate the control profile chart.

Check	URL	Reason	Copy
{{ row.label }}	{{ row.href }}	{{ row.reason }}
No review handoffs available Related review links appear after the domain is normalized.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Mail Transfer Agent Strict Transport Security, or MTA-STS, lets a receiving mail domain publish rules for secure SMTP delivery. The policy tells sending mail systems which mail exchangers are acceptable, whether the domain is testing or enforcing the policy, and how long the policy may be cached.

MTA-STS matters because SMTP delivery historically allowed downgrade and fallback behavior. A receiving domain can have the right MX hosts but still publish a stale TXT identifier, serve an unreachable policy, use a weak cache window, or present an expiring certificate on the policy host. Those failures can be hard to spot when each piece is checked separately.

MTA-STS validation checks domain TXT discovery, HTTPS policy, certificate freshness, rule checks, and readiness reporting.

A common rollout path is to publish a policy in testing mode, watch for problems, then move toward enforcement once the TXT record, policy file, MX patterns, and certificate are healthy. A high score still has a narrow meaning: it reflects what was visible during this lookup. It does not prove that every sender supports MTA-STS, that every sender has refreshed its cache, or that live SMTP delivery to each MX host has been tested.

The safest reading is publication readiness. Use the report to find broken discovery, malformed policy fields, cache-window mistakes, and certificate risk before treating an MTA-STS rollout as complete.

How to Use This Tool:

Run the validator after DNS changes, policy edits, certificate renewals, MX migrations, and before moving a domain from testing to enforcement.

Enter the recipient mail domain in Domain. A URL or mailbox-style prefix is normalized to the hostname when possible.
Select Validate MTA-STS. If the page reports Domain is required, correct the input before checking the results.
Read MTA-STS Summary for the score, policy mode, readable max_age, TXT TTL, policy fetch time, and certificate freshness badge.
Open TXT Record Details and confirm the discovery host, primary record, version token, id, TXT TTL, and record count.
Open Policy Parameters and review policy status, content type, redirects, policy version, mode, max_age, and listed MX hosts.
Open Validation Checks when the score is not 100%. The failed row is usually more useful than the percentage.
Use Certificate Insights to inspect the policy-host certificate, including protocol, cipher, subject, issuer, validity dates, remaining days, and subject alternative names.
Use Control Readiness and MTA-STS Control Profile for a compact handoff, then rerun the same domain after each DNS, policy, or certificate fix.

If TXT lookup fails, fix the discovery record first. If the policy fetch fails, repair the policy host, certificate, or policy response before relying on the published TXT record.

Interpreting Results:

The score summarizes validation checks; it is not an MTA-STS standard field. A 100% result means the visible TXT record, HTTPS policy, policy syntax, cache window, MX coverage, and policy-host certificate passed this validator at lookup time.

TXT discovery is only the starting point. A valid-looking TXT record does not prove the policy host is reachable or trusted.
Policy mode tells you intent. testing can pass validation while still not enforcing delivery restrictions.
max_age affects cache behavior. A very short value may pass presence checks but fail the recommended readiness floor used here.
Policy certificate valid means the policy host certificate is acceptable now. Certificate freshness is stricter and warns when fewer than seven days remain.
MX coverage matters for active modes. mode: none does not need MX directives for the same operational reason as testing or enforce mode.

A high score does not test actual SMTP sessions. For a security-sensitive rollout, verify live mail flow, receiver certificates, monitoring reports, and sender cache behavior outside this page.

Technical Details:

MTA-STS has two publication surfaces. The policy domain publishes a TXT record at _mta-sts.<domain>, and the policy host serves the policy over HTTPS from mta-sts.<domain>/.well-known/mta-sts.txt. The TXT record carries v=STSv1 and an id token so senders can decide whether a cached policy may be stale.

The policy file is line based. Meaningful directives include version, mode, mx, and max_age. The validator ignores comments, collects multiple mx directives, checks policy response metadata, and inspects the certificate used by the final policy host. The policy response is capped to keep unusually large responses from being treated as normal policy files.

Formula Core

The overall score is the rounded percentage of validation checks that pass. The current check set contains 15 pass/fail checks.

S = round (100 \times \frac{p}{15})

Here p is the number of passed checks. For example, 13 passing checks produce round(100 x 13 / 15) = 87%. Control readiness rows use their own local percentages based on the checks inside each control group.

Rule Core

MTA-STS validation rules
Area	Passing Conditions	Why It Matters
TXT discovery	A TXT record is published, exactly one usable `STSv1` record is selected, the version begins with `v=STSv1`, and an `id` token is present.	Senders use the TXT record to discover the policy and notice policy updates.
Policy fetch	The policy is served over HTTPS, returns HTTP 200, and uses `text/plain` content type.	Senders need a reachable authenticated policy, not only a DNS hint.
Policy syntax	The policy version is `STSv1`, mode is `enforce`, `testing`, or `none`, `max_age` is present and positive, and active modes list MX hosts.	These fields define the delivery restrictions and cache lifetime.
Cache window	`max_age` must be at least 86,400 seconds and no more than 31,557,600 seconds to pass the readiness checks.	The value should be long enough to be meaningful without exceeding the standard's upper bound.
Policy certificate	The policy-host certificate must validate now, and the freshness check passes only when at least seven days remain.	An otherwise correct policy can fail for senders when the serving certificate expires.

MTA-STS score status bands
Score Band	Status	Review Meaning
`90` to `100`	Ready	Most or all checks pass; still verify live mail behavior before enforcement decisions.
`70` to `89`	Review	Publication is partly usable, but at least one important discovery, policy, cache, or certificate issue remains.
`0` to `69`	Fix	The domain should not be treated as MTA-STS ready until failed checks are repaired and rerun.

Privacy and Accuracy Notes:

This validator performs live network checks. The entered domain is used for public DNS lookup and for a server-side HTTPS policy fetch so certificate details can be inspected. The result may include public DNS answers, policy text, certificate metadata, and generated handoff links. JSON exports stay wherever you copy or save them.

Worked Examples:

Ready enforcement profile

A domain publishes v=STSv1; id=20260518, serves a policy with mode: enforce, max_age: 2592000, and two MX patterns, and presents a certificate with 43 days remaining. MTA-STS Summary can reach 100%, Policy Parameters shows a 30-day cache window, and Certificate Insights shows a healthy Days remaining value.

Policy is present but too short-lived

A policy with max_age: 3600 can still be reachable and syntactically valid. Validation Checks fails the max_age >= 86400 seconds row, and Control Readiness marks the cache window as weak. Increase the cache lifetime and rerun the domain before treating the policy as ready.

TXT record exists but policy host fails

A correct TXT record can still produce MTA-STS host was not found in DNS or TLS certificate validation failed while fetching policy. That points to the policy host, not the TXT record. Repair host resolution or the certificate, then confirm that Policy Parameters and Certificate Insights populate cleanly.

FAQ:

Does a high score mean every sender will enforce MTA-STS?

No. The score reflects this lookup's TXT, policy, and certificate checks. Sender support, sender cache state, and live SMTP behavior are outside the score.

Why does the id token matter?

The TXT id token helps senders notice that the published policy changed. If the policy changes but the identifier does not, cached policy behavior can be harder to reason about.

Can testing mode pass?

Yes. mode: testing is a valid MTA-STS policy mode. It can pass syntax and readiness checks even though it does not represent enforcement.

Why did policy fetch fail when TXT discovery passed?

TXT discovery and HTTPS policy hosting are separate. Check the policy host's DNS record, HTTPS availability, certificate name, certificate chain, and policy response before changing the TXT record again.

Does this test SMTP delivery to my MX hosts?

No. It reviews MTA-STS publication and policy-host evidence. Test SMTP TLS behavior, MX certificates, and delivery paths separately when enforcement risk matters.

Glossary:

MTA-STS: A mail transport security policy that receiving domains publish for senders to discover and cache.
Policy domain: The recipient domain whose MTA-STS state is being checked.
Policy host: The HTTPS host that serves the MTA-STS policy for the policy domain.
MX directive: A policy line naming a permitted mail exchanger pattern for delivery under the policy.
max_age: The policy cache lifetime in seconds.
id token: The TXT identifier used to signal policy updates to systems with cached policy data.

References:

RFC 8461: SMTP MTA Strict Transport Security (MTA-STS), IETF, September 2018.
SMTP MTA Strict Transport Security (MTA-STS) Registries, IANA, June 2018.