Why it matters
This concept affects domain trust, mail delivery, troubleshooting and migration safety.
Tool
MTA-STS: TLS for domain email
A practical MTA-STS guide: _mta-sts record, HTTPS policy file, testing/enforce modes and secure SMTP transport.
MTA-STS lets a domain publish a policy that tells senders to deliver SMTP mail only to expected MX hosts over valid TLS.
Mail tester
Check MX, SPF and DMARC together.
DMARC tester
Review domain policy and reporting.
DNS delegation
Check NS, SOA and DNSSEC basics.
Mail servers
Return to the business mail hub.
MTA-STS: TLS policy for domain email
The mechanism combines a TXT record under _mta-sts with an HTTPS policy file under mta-sts.example.com/.well-known/mta-sts.txt.
MTA-STS basics
Where it is configured
The value is published in DNS and should be managed together with the domain operator or DNS platform.
What to check
Check syntax, TTL, old records after migration and consistency with mail or domain services.
Example
Example: _mta-sts.example.com TXT v=STSv1; id=20260622
Practical check order
- Read current DNS. Check what the public DNS currently returns for the relevant name.
- Compare with the intended policy. Confirm that the record matches the mail platform or domain design.
- Remove stale entries. Old records after migration are a common source of failures.
- Retest dependent services. Run mail, DNS, SSL or RDAP checks depending on the record type.
Common mistakes
- Record added under the wrong DNS name.
- Old values left after migration or provider change.
- Long TTL during planned changes.
- Policy copied from another domain without adapting host names or report addresses.
- Record changed without checking the services that depend on it.
FAQ: MTA-STS: TLS policy for domain email
How should I use this DataHouse page?
Use it as a technical checklist and connect it with the relevant diagnostic tools before or after a production change.