MTA-STS & TLS-RPT Generator
Build the MTA-STS policy file and DNS records to require TLS for inbound email — plus a TLS-RPT record to get reports. Roll out safely with a testing mode first.
version: STSv1 mode: testing mx: mail.example.com max_age: 604800
_mta-sts.example.com. IN TXT "v=STSv1; id=20260709215647"
Start in testing mode, monitor TLS-RPT reports, then switch to enforce.
What MTA-STS and TLS-RPT do
SMTP was designed with opportunisticencryption: mail servers try TLS, but silently fall back to plaintext if the handshake fails — which an attacker on the network can force (a “downgrade” attack), reading your inbound mail in the clear. MTA-STS(SMTP MTA Strict Transport Security) fixes that by publishing a policy that says “always use TLS with a valid certificate to reach my mail servers, and refuse to deliver if you can’t.” TLS-RPT (SMTP TLS Reporting) is the companion record that has senders email you daily reports of any TLS failures, so you can see problems before enforcing. This generator builds the policy file and both DNS records.
Every option, explained
Domain
The domain you receive mail for. The generator uses it to build the policy URL (https://mta-sts.yourdomain/.well-known/mta-sts.txt) and the two DNS record names (_mta-sts and _smtp._tls).
Mode
testing— servers honour the policy but still deliver on TLS failure, and send you TLS-RPT reports. Always start here for a few weeks.enforce— servers refuse to deliver if TLS or the certificate check fails. Switch to this only once reports are clean and all your MX hosts have valid certs.none— signals you’re retiring MTA-STS; tells senders to ignore any cached policy.
MX hosts
The hostnames of your inbound mail servers (your MX records, e.g. aspmx.l.google.com). They’re listed in the policy file so senders know exactly which servers a valid-TLS connection is expected from. List every MX host or enforce mode will reject mail routed through the missing one.
max_age
How long (in seconds) senders cache your policy. A long value like 604800(1 week) is standard — it means an attacker can’t simply block the policy fetch to bypass MTA-STS, because senders remember it. Keep it low only while first testing.
TLS-RPT reporting address (rua)
A mailto: (or https:) endpoint that receives the daily TLS reports. Set this from day one — it’s how you confirm delivery is healthy before you flip to enforce.
How to publish it
Host the policy file over HTTPS with a valid certificate at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt, add the _mta-stsand _smtp._tls TXT records, and start in testing. Once TLS-RPT reports are clean, change the policy file to mode: enforce (and bump its id).
Related tools
Frequently asked questions
▸ ▾ What is MTA-STS?
A standard that lets your domain require inbound mail servers to use TLS, protecting mail in transit from downgrade attacks. TLS-RPT adds reporting.
▸ ▾ What do I need to publish?
A policy file at mta-sts.yourdomain.com/.well-known/mta-sts.txt plus a _mta-sts TXT record (and a _smtp._tls record for TLS-RPT).