How do I implement MTA-STS?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
So before you start: make sure your mail servers support TLS 1.2 or higher and have valid certificates. If they don't, MTA-STS won't work. That's the foundation.
Step 1: Create your MTA-STS policy file.
Publish a plain text file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Here's what it looks like:
version: STSv1
mode: testing
mx: mail.yourdomain.com
max_age: 86400
Start in testing mode. That way, if something breaks, mail still gets delivered (receivers just report problems). Once you're confident everything works, change it to enforce.
The mx line lists your actual mail server hostname. The max_age tells receivers how long to cache your policy (86400 seconds is one day).
Step 2: Add the DNS TXT record.
Create a DNS TXT record at _mta-sts.yourdomain.com with this content:
v=STSv1; id=YYYYMMDDHHMMSS
Replace YYYYMMDDHHMMSS with today's date and time (e.g., 20260417120000). This ID acts like a version number. Whenever you update your policy file, bump the ID. Receivers use it to know when to refresh your policy.
Step 3: Test and monitor.
Give your DNS record a few hours to propagate. Then check if your policy is live using our MTA-STS Checker. It'll tell you if the policy file is accessible and if the DNS record is correct.
Step 4: Switch to enforce.
After a few days in testing mode, watch your TLS reports to see if any senders are having trouble. If everything looks good, change your policy file to mode: enforce and update the DNS ID.
That's it. Your domain's now enforcing TLS encryption on incoming mail.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.