Skip to main content

MTA-STS Policy

Verifies the domain publishes a valid MTA-STS policy (RFC 8461). MTA-STS lets the domain owner declare a TLS-required policy for inbound mail. Receiving servers cache the policy and refuse to deliver mail unless STARTTLS succeeds with a matching certificate.

Applies to: URIBL and URI hosts.

How It Works

This is a two-part check.

1. DNS

We do a TXT lookup at _mta-sts.<domain> and verify the record:

  • starts with v=STSv1
  • contains an id= tag

2. HTTPS

We fetch https://mta-sts.<domain>/.well-known/mta-sts.txt over HTTPS, verifying the TLS certificate against the hostname (this is required by RFC 8461). The policy file must declare:

  • version: STSv1
  • a mode: line
  • at least one mx: line

Fails On

  • Missing TXT record.
  • Missing id= tag in the TXT record.
  • HTTPS fetch fails or returns a non-2xx status.
  • TLS certificate validation fails.
  • Policy file is missing version, mode, or mx lines.
  • TLS-RPT Record - companion check that verifies the domain publishes a TLS reporting endpoint, so receivers can report MTA-STS failures back to you.