All fix guides
How to set up MTA-STS
Force other mail servers to use encrypted, authenticated TLS when delivering to you.
What it is
MTA-STS publishes a policy (via DNS + an HTTPS-hosted file) that tells sending servers to require valid TLS for your inbound mail.
Why it matters
Without MTA-STS, an attacker on the network can downgrade inbound mail to an unencrypted connection and read it.
How to fix it
- 1Publish a TXT record at `_mta-sts.yourdomain.com`: `v=STSv1; id=<a-version-id>`.
- 2Host the policy at `https://mta-sts.yourdomain.com/.well-known/mta-sts.txt` with `version`, `mode: enforce`, your `mx` hosts, and `max_age`.
- 3Start with `mode: testing` to catch problems before enforcing.
- 4Add TLS-RPT to get reports of any delivery TLS failures (see that guide).
- 5Re-scan to confirm MTA-STS is published.
Not sure if your site is affected?
Run a free scan — or let us fix it all for you.