All fix guides

How to set up MTA-STS

Force other mail servers to use encrypted, authenticated TLS when delivering to you.

What it is

MTA-STS publishes a policy (via DNS + an HTTPS-hosted file) that tells sending servers to require valid TLS for your inbound mail.

Why it matters

Without MTA-STS, an attacker on the network can downgrade inbound mail to an unencrypted connection and read it.

How to fix it

  1. 1Publish a TXT record at `_mta-sts.yourdomain.com`: `v=STSv1; id=<a-version-id>`.
  2. 2Host the policy at `https://mta-sts.yourdomain.com/.well-known/mta-sts.txt` with `version`, `mode: enforce`, your `mx` hosts, and `max_age`.
  3. 3Start with `mode: testing` to catch problems before enforcing.
  4. 4Add TLS-RPT to get reports of any delivery TLS failures (see that guide).
  5. 5Re-scan to confirm MTA-STS is published.

Not sure if your site is affected?

Run a free scan — or let us fix it all for you.

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy