Without MTA-STS, an attacker can downgrade email to unencrypted transfer. Automated MTA-STS/TLS-RPT verification is on our roadmap; today our email scan checks SPF, DKIM, DMARC, DNSSEC and CAA.
Run a free domain scan All checks →On our roadmap: verifying your _mta-sts record, policy file, enforce mode, MX match and TLS-RPT. Today our email scan delivers SPF, DKIM, DMARC, DNSSEC and CAA checks — the foundation of email security; MTA-STS is the next step.
SMTP between mail servers is opportunistically encrypted — an active attacker can strip STARTTLS and read your email in cleartext. MTA-STS makes encryption mandatory for sending servers that support it.
_mta-sts TXT record and policy file over HTTPSenforce vs testing vs none) + MX matchtesting mode permanently — no actual enforcementDo you check MTA-STS today?
Not automatically yet — it's on our roadmap. Today our email scan covers SPF, DKIM, DMARC, DNSSEC and CAA.
Does MTA-STS differ from DMARC?
Yes — DMARC protects against spoofing (sender identity); MTA-STS protects transport (encryption). They complement each other.
Passive check?
Yes — our email checks only read public DNS records.
Run a free scan or order a full Security Assessment — prioritised, not noise.
Run a free domain scan