496+ Tools Comprehensive Tools for Webmasters, Developers & Site Optimization

MTA-STS Generator - Create MTA-STS Policy & DNS Records

MTA-STS Generator

Enter your mail server hostnames. Wildcards (*) are supported.
How long to cache the policy (86400 = 1 day, 604800 = 1 week)
What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that enables mail servers to declare their ability to receive TLS-encrypted email and to specify whether sending MTAs should refuse to deliver to MX hosts that do not offer TLS with a trusted certificate.

How This Tool Works
  1. Enter your domain name
  2. Select policy mode (enforce, testing, or none)
  3. List your mail server hostnames (MX patterns)
  4. Set the cache duration (max_age)
  5. Generate both the policy file and DNS record
  6. Deploy the policy file to your web server
  7. Add the DNS TXT record
Policy Modes Explained
  • enforce: Sending MTAs must not deliver to hosts that don't support TLS
  • testing: Same as enforce but failures are only reported, not enforced
  • none: No policy enforcement (used to remove/disable MTA-STS)
MX Pattern Examples
mail.example.com # Exact match *.example.com # Wildcard subdomain mail1.example.com # Multiple specific hosts mail2.example.com
Example: Complete MTA-STS Setup
1. Policy file at https://mta-sts.example.com/.well-known/mta-sts.txt: version: STSv1 mode: enforce max_age: 604800 mx: mail1.example.com mx: mail2.example.com 2. DNS TXT record at _mta-sts.example.com: v=STSv1; id=20240208120000 3. Serve policy file with these headers: Content-Type: text/plain Cache-Control: max-age=604800
Policy File Hosting Requirements
  • Must be served over HTTPS with valid certificate
  • URL: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  • Content-Type: text/plain
  • Must be publicly accessible (no authentication)
  • Should be cached appropriately based on max_age
DNS Record Requirements
  • TXT record at _mta-sts.yourdomain.com
  • Must include version (v=STSv1) and ID
  • Change ID whenever policy file is updated
  • ID format can be timestamp or hash
Best Practices
  • Start with "testing" mode to monitor before enforcing
  • Use wildcards (*.example.com) for flexibility
  • Set max_age to at least 1 day (86400 seconds)
  • Update the DNS ID whenever you change the policy file
  • Ensure all MX hosts support TLS with valid certificates
  • Monitor SMTP TLS reporting (TLS-RPT) for issues
  • Keep policy file accessible and monitor uptime
Common Issues
  • Policy file not accessible: Check HTTPS and web server configuration
  • Certificate errors: Ensure valid SSL for mta-sts subdomain
  • MX mismatch: Verify MX patterns match actual mail servers
  • Caching issues: Update DNS ID when changing policy
Related Tools