MTA-STS policy builder

Pick your MX hosts and a mode. We'll give you the policy file (host at mta-sts.<domain>/.well-known/mta-sts.txt) and the matching DNS TXT record.

Policy inputs

Mode

MX hosts (one per line, or comma-separated)

Exact hosts (mail.example.com) and wildcards (*.example.com) are both valid. Use the hosts your receiving mail provider tells you to put in MX.

max_age (seconds)

Output

Valid

· Mode=testing — receivers will report failures via TLS-RPT but won't actually reject. Move to enforce once you're confident.

Policy file — host at mta-sts.<domain>/.well-known/mta-sts.txt

version: STSv1
mode: testing
mx: aspmx.l.google.com
mx: alt1.aspmx.l.google.com
max_age: 604800

DNS TXT at _mta-sts.<domain>

v=STSv1; id=202606010357

How MTA-STS works. MTA-STS is the “HSTS for email.” You publish a policy at mta-sts.<domain>/.well-known/mta-sts.txt over HTTPS, plus a DNS TXT record at _mta-sts.<domain>. Sending MTAs fetch the policy and refuse to deliver mail unless TLS is used and the receiver's cert matches one of the listed MX names. Pair with TLS-RPT so you find out when something breaks.

See also the SPF builder, DMARC validator, and the full email security scan.

Keep hardening your email

Each record is one layer. Check the rest of yours — every tool is free, no account.

Scan all 8 at once →

SPF builder

Assemble a clean SPF record

SPF analyzer

Count your real DNS lookups

DMARC generator

Build a v=DMARC1 record

DMARC validator

Grade a record you have

DKIM validator

Check a DKIM key

BIMI check

Get your logo in inboxes

TLS-RPT

Get TLS failure reports