Help & Troubleshooting
MTA-STS
What this is
MTA-STS lets a domain require that inbound mail be delivered only over authenticated TLS to its listed MX hosts. It combines a DNS record (_mta-sts) with a policy file served at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
How to read your result
A healthy setup shows both the DNS record and a fetchable policy file, with mode: enforce for real protection (testing only reports). Check the policy's mx: entries actually match your MX hostnames.
Common problems and how to fix them
DNS record exists but the policy file is unreachable
How it shows up: Senders cannot fetch the policy, so MTA-STS silently provides nothing; the check reports the fetch failure.
How to fix it: Serve the file at exactly https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid certificate for the mta-sts subdomain. A tiny static site or a CDN worker is enough — but it must stay up.
Policy mx entries do not match the real MX records
How it shows up: In enforce mode, legitimate mail from strict senders starts getting refused after an MX change.
How to fix it: Update the policy file whenever MX records change (and bump the id= in the DNS record so caches refresh). Automate this pairing if MX changes are at all frequent.
Stuck in testing mode forever
How it shows up: TLSRPT reports arrive but downgrade attacks would still succeed — testing mode never blocks anything.
How to fix it: After a clean period in testing (watch your TLSRPT reports), switch mode: to enforce and bump the id=.