MTA-STS Lookup
Check whether a domain publishes MTA-STS — the policy that forces TLS on incoming SMTP and prevents opportunistic-TLS downgrade attacks.
Look up MTA-STS
Checks _mta-sts.<domain> TXT and fetches the policy at https://mta-sts.<domain>/.well-known/mta-sts.txt.
What MTA-STS does
MTA-STS (RFC 8461) tells sending mail servers: always use TLS with valid certificates when delivering mail to this domain, or don’t deliver at all. Without it, a network attacker can strip STARTTLS from an SMTP session and read mail in plaintext.
How this tool works
- Queries
_mta-sts.<domain>for a TXT record starting withv=STSv1;. - Fetches the policy document from
https://mta-sts.<domain>/.well-known/mta-sts.txt. - Parses the policy and shows mode (
enforce,testing, ornone), allowed MX hosts, and the max-age cache window.
Caveats
The policy fetch uses your browser’s fetch(), so it’s subject to CORS. Most
MTA-STS policy endpoints don’t set Access-Control-Allow-Origin, so the fetch
usually succeeds but may be blocked on some domains. When blocked, the tool
still shows the DNS record status.
Related
- TLS-RPT lookup — the reporting side of MTA-STS.
- DMARC lookup — the authentication side.