MTA-STS & TLS-RPT Checker
Full SMTP TLS enforcement audit — MTA-STS DNS record, the well-known policy file, and TLS-RPT reporting endpoint.
About the MTA-STS & TLS-RPT Checker
The MTA-STS & TLS-RPT Checker validates SMTP TLS enforcement for any mail domain. MTA-STS (RFC 8461) is the modern replacement for the anything-goes 'opportunistic TLS' behavior of SMTP: it lets a receiving domain publish a policy declaring 'my mail servers MUST be reached over authenticated TLS, and here are the exact MX hostnames'. Compliant sending MTAs (Gmail, Microsoft 365, Yahoo, Fastmail, most modern relays) refuse to fall back to plaintext when the policy is in enforce mode — closing the door on downgrade attacks that have historically leaked email content in transit.
A complete MTA-STS deployment has two moving parts: a `_mta-sts.example.com` TXT record announcing the policy id, and an HTTPS policy file served at `https://mta-sts.example.com/.well-known/mta-sts.txt` listing the version, mode (testing / enforce / none), MX name patterns, and max-age. TLS-RPT (RFC 8460), the companion spec, publishes a `_smtp._tls.example.com` TXT record with a reporting address that receives daily JSON reports whenever a sender fails to negotiate TLS to your domain — turning an invisible failure mode into a monitored one.
Our checker resolves the TXT record, fetches the well-known policy over HTTPS, parses every field, and validates all of it in one call. The overall checklist tells you at a glance whether the deployment is complete, whether the mode is safe to enforce, and whether you'll actually receive TLS failure reports. Use it during initial rollout, after any MX change, and as a periodic health check.
How to use this tool
- 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
- 2Click the action button to run the check — results are computed instantly from our edge network.
- 3Review the parsed output, key fields and any warnings shown in the result card.
- 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.
Key features
- Resolves _mta-sts TXT and fetches the .well-known policy file
- Parses version, mode, mx rules, max-age
- Resolves TLS-RPT (_smtp._tls) and shows report destinations
- Overall checklist with pass/fail per requirement
- Complements SPF, DKIM, DMARC, and BIMI checkers