Security check

MTA-STS: enforce encrypted email delivery (roadmap)

Without MTA-STS, an attacker can downgrade email to unencrypted transfer. Automated MTA-STS/TLS-RPT verification is on our roadmap; today our email scan checks SPF, DKIM, DMARC, DNSSEC and CAA.

Run a free domain scan All checks →
Relates to: NIS2 · art. 21 — secure communications ISO 27001 · A.8.24 MTA-STS · RFC 8461

What we check

On our roadmap: verifying your _mta-sts record, policy file, enforce mode, MX match and TLS-RPT. Today our email scan delivers SPF, DKIM, DMARC, DNSSEC and CAA checks — the foundation of email security; MTA-STS is the next step.

Why it matters

SMTP between mail servers is opportunistically encrypted — an active attacker can strip STARTTLS and read your email in cleartext. MTA-STS makes encryption mandatory for sending servers that support it.

How Security Guru tests it

Common mistakes

  • Policy in testing mode permanently — no actual enforcement
  • MX in the policy doesn't match your real MX records
  • Policy file unreachable over HTTPS
  • No TLS-RPT → you never see delivery problems

What you get in the report

  • Email security today: SPF, DKIM, DMARC, DNSSEC, CAA
  • (Roadmap) MTA-STS status, mode and MX match
  • (Roadmap) TLS-RPT status for reporting
  • Link to overall email and transport security

FAQ

Do you check MTA-STS today?

Not automatically yet — it's on our roadmap. Today our email scan covers SPF, DKIM, DMARC, DNSSEC and CAA.

Does MTA-STS differ from DMARC?

Yes — DMARC protects against spoofing (sender identity); MTA-STS protects transport (encryption). They complement each other.

Passive check?

Yes — our email checks only read public DNS records.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan