Mailflo
Free Tool

MTA-STS & TLS-RPT Generator

Build your MTA-STS policy and DNS records to force TLS encryption on all inbound email. Includes the TLS-RPT record for monitoring delivery failures.

What is MTA-STS? MTA Strict Transport Security (RFC 8461) forces sending servers to use TLS when delivering mail to your domain, preventing downgrade attacks. It requires two things: a DNS TXT record and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Policy mode

MX hostnames

Your inbound mail server hostnames

Add the exact hostnames from your MX records. Wildcards like *.example.com are allowed to match all subdomains.

Add at least one MX hostname. Check your domain's MX records with our DNS Record Inspector.

Policy cache duration (max_age)

Senders cache your policy for this duration. Use a shorter value (1 day) during testing so policy changes propagate quickly. Switch to 1 month or 1 year once in enforce mode.

TLS-RPT reporting (optional but recommended)

TLS Reporting (RFC 8460) sends you daily reports on TLS negotiation failures. Highly recommended alongside MTA-STS so you can detect delivery issues.

mailto:

Generated records & policy

1. DNS TXT record

_mta-sts.yourdomain.com TXT

v=STSv1; id=20260615035835

The policy ID (20260615035835) must change every time you update your policy file, so senders know to fetch the new version.

2. Policy file content

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
version: STSv1
mode: testing
max_age: 604800

Hosting requirements for the policy file:

  • Must be served over HTTPS on mta-sts.yourdomain.com (a subdomain, not the root domain).
  • URL must be exactly /.well-known/mta-sts.txt.
  • Content-Type should be text/plain.
  • You may need to create a DNS A/CNAME record for mta-sts.yourdomain.com pointing to a web server.

Publishing checklist

  1. 1Host the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt (Content-Type: text/plain, over HTTPS).
  2. 2Create the _mta-sts.yourdomain.com TXT record in DNS.
  3. 3If using TLS-RPT, create the _smtp._tls.yourdomain.com TXT record.
  4. 4Verify the policy file is accessible by visiting the URL in your browser.
  5. 5Start with mode: testing for 2–4 weeks. Check TLS-RPT reports for failures before switching to mode: enforce.
  6. 6When you update the policy file, always increment the id= value in the DNS TXT record.

Inbound TLS locked down — what about outbound?

Mailflo manages SPF, DKIM, DMARC, and MTA-STS across all your cold email domains — with automated monitoring, instant drift alerts, and one-click repairs.

See Mailflo plans