DomainSecurityScanner
Medium SeveritySecurity Headers

Fix: MTA-STS Not Configured

Your domain doesn't publish an MTA-STS policy. MTA-STS (RFC 8461) tells sending mail servers that your domain requires TLS for inbound mail, preventing downgrade attacks where attackers strip encryption from SMTP connections.

Quick Fix

Publish a _mta-sts TXT record and an HTTPS-served policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

What This Error Means

SMTP STARTTLS is opportunistic by default — if encryption fails, the message is delivered in cleartext. This makes it possible for attackers on the network path to strip TLS and intercept mail. MTA-STS lets your domain publish a policy saying "all mail to me must use TLS," which compliant senders (Google, Microsoft, Yahoo) will enforce.

Why It Matters

Without MTA-STS, your inbound email can be downgraded to plaintext by an attacker on the network path. Mailing lists, password resets, financial documents, and confidential communications can be intercepted. MTA-STS is increasingly expected by enterprise security questionnaires, and it's a precondition for some compliance frameworks. Google and Microsoft both honor MTA-STS for outbound mail to your domain.

Step-by-Step Fix

1

Publish the MTA-STS DNS record

Add a TXT record at _mta-sts.yourdomain.com that announces your policy version. The id changes each time you update the policy, so receivers know to re-fetch.

Example
_mta-sts.yourdomain.com  IN  TXT  "v=STSv1; id=20260415000000Z"
2

Create a CNAME or A record for the policy host

You need to serve the policy over HTTPS at a specific hostname. Most setups use a CNAME to a CDN or a static host.

Example
mta-sts.yourdomain.com  IN  CNAME  yourdomain.com.
# or:
mta-sts.yourdomain.com  IN  A  192.0.2.10
3

Serve the policy file over HTTPS

The policy file must be served at /.well-known/mta-sts.txt with a valid TLS certificate. Content lists your MX hosts and the enforcement mode.

Example
# Path: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
version: STSv1
mode: testing
mx: mail.yourdomain.com
mx: *.yourprovider.com
max_age: 86400
4

Start in testing mode, then enforce

Initial mode should be "testing" — receivers report TLS failures via TLS-RPT but don't reject mail. Once you see clean reports for 1-2 weeks, switch to "enforce".

Before
mode: testing
After
mode: enforce
5

Add a TLS-RPT record for failure reporting

TLS-RPT (RFC 8460) sends you reports when senders' TLS to your MX fails. Critical for monitoring MTA-STS in testing mode.

Example
_smtp._tls.yourdomain.com  IN  TXT  "v=TLSRPTv1; rua=mailto:[email protected]"

Common Gotchas

  • The id value in the _mta-sts TXT record must change whenever you update the policy file, otherwise receivers will use the old cached version. Use a timestamp or hash.
  • The policy URL must be HTTPS with a valid certificate. A self-signed or expired cert will cause receivers to reject your policy.
  • List ALL MX hostnames you actually use, including secondary/fallback MXes. A missing MX in the policy means mail to that host is rejected (in enforce mode).
  • Stay in testing mode for at least 1-2 weeks to catch sender misconfigurations and your own MX issues before enforcing.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What's the difference between MTA-STS and DANE?

Both protect inbound SMTP TLS. MTA-STS uses HTTPS-served policy and DNS, requires no DNSSEC. DANE uses DNSSEC + TLSA records, more cryptographically rigorous but harder to deploy. Most operators choose MTA-STS for ease.

Do I need DNSSEC for MTA-STS?

No. MTA-STS deliberately avoids DNSSEC to lower deployment friction. It uses HTTPS for trust on the policy file.

Will MTA-STS prevent all SMTP MITM attacks?

Only attacks where compliant senders (Google, Microsoft, Yahoo, others) deliver to your domain. Senders that don't support MTA-STS can still be downgraded. But the major mailbox providers all enforce it.

Keep Exploring

More Security Headers resources — tools to verify, setup guides, deeper reading, and compliance context.

Tools

Security Headers Checker
Audit HTTP security headers.

Common Issues & Fixes

No HSTS
Add the `Strict-Transport-Security` header to your web server responses.
Missing Headers
Add essential security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options) to your web server.
No CSP
Add a Content-Security-Policy header starting with a report-only policy, then enforce.

Compliance

SOC 2
How email authentication helps meet SOC 2 Trust Services Criteria for Security and Availability.
HIPAA
Protecting PHI in email communications with HIPAA-compliant authentication and encryption.

Related Issues

Certificate ExpiredWeak Cipher SuitesTLS 1.0/1.1 EnabledAll Fix Guides →