MTA-STS Generator

Create MTA-STS DNS record and policy file

Privacy First

This generator runs entirely in your browser. No data is sent to any server.

Configuration

Domain Name

Policy Mode

MX Hosts (mail servers allowed to receive email)

Use wildcards like *.example.com to match all subdomains

Max Age (cache duration in seconds)

Custom:

Policy ID (optional - auto-generated if empty)

Change the ID whenever you update the policy to force clients to fetch the new version

About MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) enables mail servers to declare their ability to receive TLS-secured connections and specify how other servers should handle delivery failures.

Requirements

DNS Record - TXT record at _mta-sts.domain.com
Policy File - Served at https://mta-sts.domain.com/.well-known/mta-sts.txt
Valid HTTPS - The mta-sts subdomain must have a valid SSL certificate

Deployment Steps

Start with testing mode to identify issues
Configure TLS-RPT to receive failure reports
Monitor reports for at least 1-2 weeks
Switch to enforce mode once confident

Use the TLS-RPT Generator to set up failure reporting alongside MTA-STS.