MTA-STS Validator
Check an email domain's MTA-STS TXT record, HTTPS policy, MX coverage, cache window, and policy-host certificate before enforce mode.MTA-STS Summary
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} | |
|
No TXT record details available
Run a lookup that returns MTA-STS TXT evidence before exporting this table.
|
||
| Directive | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} | |
|
No policy parameters available
A reachable policy file is needed before exporting this table.
|
||
| Category | Check | Result | Detail | Copy |
|---|---|---|---|---|
| {{ c.category }} | {{ c.label }} | Pass Fail | {{ c.detail }} | |
|
No validation checks available
Run an MTA-STS lookup before exporting the validation checks.
|
||||
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} | |
|
No certificate insights available
Certificate data appears when the policy host responds over HTTPS.
|
||
| Control | Score | Status | Evidence | Copy |
|---|---|---|---|---|
| {{ row.control }} | {{ row.score }}% | {{ row.status }} | {{ row.evidence }} | |
|
No control readiness rows available
Run a lookup before exporting the readiness table.
|
||||
| Check | URL | Reason | Copy |
|---|---|---|---|
| {{ row.label }} | {{ row.href }} | {{ row.reason }} | |
|
No review handoffs available
Related review links appear after the domain is normalized.
|
|||
MTA-STS is a receiving-domain policy for safer SMTP delivery. Ordinary SMTP can negotiate TLS, but a sender that has no stored policy may still fall back to weaker delivery when DNS, routing, or TLS negotiation is interfered with. Mail Transfer Agent Strict Transport Security gives a domain a published rule that supporting senders can cache before accepting fallback risk.
The policy is split across DNS and HTTPS on purpose. DNS advertises that the domain has an MTA-STS policy and includes an update identifier. The HTTPS policy describes the allowed mail exchanger names, the policy mode, and the cache lifetime. A sender that supports MTA-STS checks both publication points, remembers the result for the declared time, and applies the cached rule on later delivery attempts.
- TXT record
- The discovery record under the mail domain. It must identify the MTA-STS version and include an
idtoken that changes when the policy changes. - Policy host
- The HTTPS host that serves the policy text and presents the certificate checked during policy retrieval.
- Policy mode
nonedisables policy use,testingpublishes a non-blocking policy, andenforceasks supporting senders to refuse delivery when the policy cannot be met.- MX pattern
- A permitted mail exchanger name or wildcard pattern. Active policies need at least one pattern so senders know which delivery hosts are acceptable.
Mode choice is the main rollout decision. testing is useful while a domain is proving that DNS discovery, policy hosting, MX coverage, and reporting are stable. enforce gives the control real effect, but it also raises the cost of mistakes. A bad certificate on the policy host, a stale TXT id, or a missing MX pattern can make mail delivery fail for senders that honor the policy.
| Rollout State | Typical Signal | Important Caution |
|---|---|---|
| Preparing | TXT discovery, HTTPS hosting, or certificate evidence is still incomplete. | Do not treat a visible TXT record as readiness by itself. |
| Testing | mode: testing with a real cache lifetime and MX list. |
The policy can be valid while still not asking senders to block failed delivery. |
| Enforcing | mode: enforce, matching MX patterns, and a healthy policy-host certificate. |
Confirm renewals, reporting, and live SMTP behavior before relying on enforcement. |
MTA-STS validation is publication evidence, not a complete mail-security audit. It can show that the public record, policy text, cache window, MX patterns, and policy-host certificate line up at lookup time. It cannot prove that every sender supports MTA-STS, that every cached sender has refreshed its policy, or that every MX server negotiates SMTP TLS correctly under real traffic.
How to Use This Tool:
Use the validator before first publication, before changing from testing to enforce mode, after MX changes, and after certificate or hosting changes on the MTA-STS policy host.
- Enter the recipient mail domain in Domain. A value such as
example.comworks best; URL-style input is reduced to the hostname when possible. - Press Validate MTA-STS. If Domain is required. appears, remove mailbox prefixes, spaces, or unsupported characters and run the lookup again.
- Start with MTA-STS Summary. The summary shows the score, status band, selected TXT record, policy mode, readable
max_age, TXT TTL, fetch time, and certificate status. - Open TXT Record Details to check the discovery host, TXT answers, selected
v=STSv1record,idtoken, lookup time, TTL, and record count. - Open Policy Parameters to review the fetched policy, HTTP status, content type, redirect hops, policy version, mode,
max_age, MX patterns, and raw policy text. - Use Validation Checks when the score is below 100%. Failed rows name the area to repair, such as a missing
id, wrong content type, weak cache window, absent MX pattern, or certificate issue. - Use Certificate Insights, Control Readiness, and MTA-STS Control Profile for handoff evidence, then rerun the same domain after each DNS, policy, MX, or certificate change.
Interpreting Results:
The percentage score is a validator score, not a value defined by the MTA-STS standard. A 100% result means all visible publication checks passed during this lookup: TXT discovery, HTTPS policy retrieval, directive syntax, cache-window bounds, active-mode MX coverage, and policy-host certificate freshness.
- Ready starts at 90%. Treat it as a strong publication check, not proof of universal sender support or live SMTP delivery.
- Review covers 70% to 89%. One or more discovery, policy, cache, MX, or certificate items needs attention before an enforcement decision.
- Fix covers scores below 70%. Repair failed rows and rerun before calling the domain MTA-STS ready.
- Policy mode matters as much as syntax.
testingmay pass many checks, but it does not request delivery blocking. - Redirect hops deserve manual review. The report can record a final successful fetch, but sender behavior should not depend on redirect handling.
- Certificate freshness is stricter than basic validity. A certificate can still be valid now while failing the seven-day freshness check.
When the TXT lookup fails, repair DNS discovery first. When policy retrieval fails with a host, timeout, content, size, redirect, or certificate message, fix the HTTPS policy host before relying on policy fields or the control profile.
Technical Details:
MTA-STS uses a two-part publication model. The TXT record announces the policy version and update identifier. The HTTPS policy file carries line-based directives that describe the active behavior. Senders that implement the standard can cache that policy for the declared lifetime and compare later MX delivery attempts with the cached MX patterns.
The policy mode changes how the same syntax affects delivery. none is a publication off switch. testing allows monitoring and rollout without mandatory blocking. enforce asks supporting senders to fail delivery when the published policy cannot be satisfied. That makes cache lifetime, certificate renewal, and MX pattern accuracy operationally important.
Rule Core
| Area | Checks | Passing Conditions | Common Failure Signal |
|---|---|---|---|
| TXT discovery | 4 | TXT discovery succeeds, exactly one usable STSv1 record is selected, the version token is v=STSv1, and an id token is present. |
Missing discovery, duplicate usable records, wrong version token, or no update identifier. |
| Policy fetch | 3 | The policy is fetched over HTTPS, the response returns HTTP 200, and the content type is text/plain. |
Unreachable host, timeout, non-200 response, wrong content type, too many redirects, oversized policy, or TLS validation failure. |
| Policy syntax | 5 | version is STSv1, mode is enforce, testing, or none, and max_age is present, positive, at least 86,400 seconds, and no more than 31,557,600 seconds. |
Missing directive, unsupported mode, absent cache lifetime, short readiness window, or overlong cache lifetime. |
| MX coverage | 1 | Testing and enforce policies list at least one mx directive. mode: none passes without MX directives. |
Active policy with no permitted MX pattern. |
| Policy certificate | 2 | The policy-host certificate validates now, and at least seven days remain before expiration. | Expired, untrusted, mismatched, missing, or nearly expiring certificate. |
Formula Core
The overall score is the rounded percentage of the 15 validation checks that pass. If p is the number of passing checks and n is 15, the score is:
For example, 13 passing checks produce round(100 * 13 / 15) = 87%, which lands in the Review band. Control readiness rows use smaller local check sets for TXT discovery, policy fetch, policy syntax, cache window, and policy certificate, so a control score can differ from the overall percentage.
| Score | Status | Meaning |
|---|---|---|
90 to 100 |
Ready | Publication evidence is mostly healthy; confirm live delivery behavior before relying on enforcement. |
70 to 89 |
Review | One or more important checks failed or needs manual review before a rollout decision. |
0 to 69 |
Fix | The domain should not be treated as MTA-STS ready until failed checks are corrected and retested. |
The policy retrieval evidence includes HTTP status, content type, redirect count, response size, fetch time, final policy location, and certificate metadata for the policy host. SMTP TLS negotiation, MX server certificate checks, DNSSEC validation, DANE, SPF, DKIM, DMARC, and TLS report history are separate controls and are not included in the MTA-STS score.
Privacy and Accuracy Notes:
This validator performs live network checks. The entered domain is used for public DNS TXT lookup and for a server-assisted HTTPS retrieval of the MTA-STS policy so certificate details can be inspected. The policy host can see that its policy was requested, and the generated report may display public TXT answers, policy text, certificate metadata, readiness rows, and handoff links.
- No mailbox content is needed; the input is a domain name.
- DNS answers, policy responses, and certificates can change after lookup because of TTLs, cache state, renewals, and provider changes.
- The score checks publication evidence, not historical sender behavior, actual message delivery, or TLS report data.
Worked Examples:
Enforce-ready publication
A domain publishes v=STSv1; id=20260531, serves a policy with version: STSv1, mode: enforce, max_age: 2592000, and two mx directives, and has a policy-host certificate with 40 days remaining. MTA-STS Summary can show 100%, Policy Parameters shows a 30-day cache window, and Certificate Insights shows a healthy Days remaining value.
Valid policy with a weak cache window
A policy using mode: testing and max_age: 3600 can still be reachable and parse correctly. Validation Checks fails the max_age >= 86400 seconds row, and Control Readiness lowers the cache-window score. Raise the cache lifetime, update the TXT id if the policy changed, and rerun the domain.
TXT discovery passes but policy retrieval fails
A domain may return a primary TXT record while the policy fetch reports MTA-STS host was not found in DNS. or TLS certificate validation failed while fetching policy. That points to the HTTPS policy host, not the TXT record itself. Repair host DNS or the certificate, then confirm Policy Parameters and Certificate Insights populate cleanly.
Redirect evidence needs review
If Policy Parameters shows a nonzero Redirect hops value while the final HTTP status is 200, the validator still has enough evidence to parse the final policy. Treat the redirect as a standards review item before enforcement because sender behavior should not depend on redirect following.
FAQ:
Does a Ready score prove my mail delivery is protected?
No. Ready means the publication checks passed or nearly passed during this lookup. Sender support, sender cache freshness, live SMTP TLS negotiation, MX server certificates, and TLS reporting data need separate review.
Why is the TXT id token important?
The id token tells senders with cached policy data that the policy may have changed. Update it when the served policy changes so sender cache behavior is easier to reason about.
Can testing mode pass validation?
Yes. mode: testing is a valid MTA-STS mode and can pass syntax and publication checks. It does not ask supporting senders to reject mail when the policy cannot be met.
Why did policy retrieval fail after TXT discovery passed?
TXT discovery and HTTPS policy hosting are different parts of MTA-STS. Check policy-host DNS, HTTPS availability, certificate name, certificate chain, response size, redirect behavior, and text/plain content type.
Does the certificate check inspect my MX servers?
No. Certificate Insights describes the certificate used by the MTA-STS policy host. Test MX server certificates and SMTP TLS delivery paths separately before enforcement.
Glossary:
- MTA-STS
- Mail Transfer Agent Strict Transport Security, a policy mechanism for SMTP transport security.
- Policy domain
- The recipient mail domain whose MTA-STS TXT record and HTTPS policy are being checked.
- Policy host
- The HTTPS host under
mta-sts.<domain>that serves the MTA-STS policy file. - MX directive
- A policy line that names a permitted mail exchanger pattern for active MTA-STS modes.
- max_age
- The policy cache lifetime in seconds.
- id token
- The TXT record identifier that signals a policy update to senders with cached policy data.
References:
- RFC 8461: SMTP MTA Strict Transport Security (MTA-STS), IETF.
- SMTP MTA Strict Transport Security (MTA-STS) Registries, IANA.
- RFC 8460: SMTP TLS Reporting, IETF.
- Set up MTA-STS and TLS reporting, Google Workspace Admin Help.
- Enhancing mail flow security for Exchange Online with MTA-STS, Microsoft Learn.