ServerRecords

Help & Troubleshooting

MTA-STS

What this is

MTA-STS lets a domain require that inbound mail be delivered only over authenticated TLS to its listed MX hosts. It combines a DNS record (_mta-sts) with a policy file served at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

How to read your result

A healthy setup shows both the DNS record and a fetchable policy file, with mode: enforce for real protection (testing only reports). Check the policy's mx: entries actually match your MX hostnames.

Common problems and how to fix them

DNS record exists but the policy file is unreachable

How it shows up: Senders cannot fetch the policy, so MTA-STS silently provides nothing; the check reports the fetch failure.

How to fix it: Serve the file at exactly https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid certificate for the mta-sts subdomain. A tiny static site or a CDN worker is enough — but it must stay up.

Policy mx entries do not match the real MX records

How it shows up: In enforce mode, legitimate mail from strict senders starts getting refused after an MX change.

How to fix it: Update the policy file whenever MX records change (and bump the id= in the DNS record so caches refresh). Automate this pairing if MX changes are at all frequent.

Stuck in testing mode forever

How it shows up: TLSRPT reports arrive but downgrade attacks would still succeed — testing mode never blocks anything.

How to fix it: After a clean period in testing (watch your TLSRPT reports), switch mode: to enforce and bump the id=.

Run a look up for this record