MTA-STS Policy Generator
Produces the `.well-known/mta-sts.txt` policy file and the `_mta-sts` DNS TXT record so receiving servers enforce TLS when delivering mail to you.
version: STSv1 mode: testing mx: mail.example.com mx: *.mail.example.com max_age: 604800
v=STSv1; id=1779983277181
Builds the policy file (version, mode, mx, max_age) plus the matching DNS record with the policy ID. Validates MX patterns and mode choices.
When you receive sensitive mail and want stronger transport encryption guarantees than opportunistic STARTTLS. Required for some compliance regimes.
FAQ
Testing vs enforce mode?+
Start at testing for 14 days. Watch SMTP TLS reports. Move to enforce only after you confirm no senders are stuck on plaintext.
Does MTA-STS protect outbound mail?+
No. MTA-STS is inbound-only — it tells other servers how to encrypt mail TO you. For outbound, your own MTA must respect MTA-STS policies on the receiving side.
Keep going
Articles, glossary entries, and other tools on the same topic.
Record generated. Now make sure it actually passes on real sends.
A correct DNS record on paper still fails 12% of the time at the receiver. Outsolvi watches every send and flags auth failures, opens that look like proxies, and bounces in real time. From $7/user/mo yearly.
Verify on a real sendNate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change — new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.