Generate a DNS record and policy file to enforce TLS encryption for incoming email to your domain.
Common values: 86400 (1 day), 604800 (1 week), 2592000 (30 days), 31557600 (1 year)
These should match the MX records for your domain. You can use wildcards like *.example.com.
Add this as a TXT record in your DNS.
v=STSv1; id=20260407;
_mta-sts.yourdomain.comHost this file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
version: STSv1 mode: testing mx: mail.yourdomain.com max_age: 604800
mta-sts.yourdomain.com with a valid SSL certificate..well-known/mta-sts.txt inside that directory (plain text, UTF-8, no BOM).https://mta-sts.yourdomain.com/.well-known/mta-sts.txtMTA-STS (Mail Transfer Agent Strict Transport Security) is a relatively new standard that forces email servers to use encrypted TLS connections when delivering mail to your domain. Without it, SMTP connections can fall back to plain text — even if your mail server supports TLS — because an attacker can intercept the initial handshake and strip the encryption signal. This is called a downgrade attack, and it's more common than most people realize.
The way MTA-STS works is straightforward. You publish a DNS record announcing that your domain has an MTA-STS policy, and you host a policy file on a specific HTTPS URL. When a sending server wants to deliver mail to your domain, it checks for the DNS record, fetches the policy file over HTTPS, and then only delivers the message if it can establish a valid TLS connection to one of the MX hosts listed in your policy.
MTA-STS pairs well with TLS-RPT (TLS Reporting), which lets you receive reports when sending servers encounter TLS failures. Together, they give you both enforcement and visibility. If you're serious about protecting email in transit — not just at rest — MTA-STS is an important piece of the puzzle that complements your existing SPF, DKIM, and DMARC setup.
MailNeo monitors your MTA-STS policy, TLS certificates, and DNS records — and alerts you before anything expires or breaks.
Get Started Free