MTA-STS Check
free/v1/security/mta-stsValidates MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) configuration that enforces TLS encryption for inbound email delivery. Checks both the DNS TXT record at _mta-sts.<domain> and the policy file hosted at https://mta-sts.<domain>/.well-known/mta-sts.txt. Also checks for TLS-RPT (RFC 8460) reporting configuration. Validates max_age against recommended ranges (86,400-31,557,600 seconds) and flags common implementation pitfalls.
What It Does
Queries the _mta-sts.<domain> TXT record for the MTA-STS DNS entry (v=STSv1; id=<policy-id>), fetches the policy file from the well-known URL, validates policy syntax (version tag ordering per RFC 8461 §3.2, mode, mx patterns, max_age), cross-validates MX patterns against actual MX records, and checks for TLS-RPT reporting at _smtp._tls.<domain>. Evaluates the mode progression (none → testing → enforce), validates max_age against recommended ranges (minimum 86,400 for testing, 604,800-31,557,600 for enforce), and detects common issues like DNS record without policy file, mismatched MX patterns, missing policy ID, and version ordering violations. Note: STARTTLS capability of MX servers cannot be verified from this platform (SMTP port 25 is not accessible).
Why It's Useful
MTA-STS prevents email interception by requiring TLS encryption between mail servers (RFC 8461). Without MTA-STS, even domains with HTTPS everywhere can have their emails intercepted via SMTP downgrade attacks — attackers can strip STARTTLS from the initial negotiation. MTA-STS is the email equivalent of HSTS and is complementary to DANE (RFC 7672, which requires DNSSEC). Combined with TLS-RPT, it provides visibility into delivery failures. Adopted by Google (exclusively uses MTA-STS) and Microsoft (supports both DANE and MTA-STS). Required for SOC 2, HIPAA, and GDPR compliance for encrypted email transmission.
Use Cases
Email Encryption Enforcement
Verify MTA-STS is properly configured to enforce encrypted email delivery to your domain. Check that the policy mode is "enforce" and max_age is sufficient.
Protect sensitive email communications from man-in-the-middle and downgrade attacks.
Compliance Documentation
Document MTA-STS configuration as evidence of email encryption controls for SOC 2, HIPAA, or GDPR audits.
Meet compliance requirements for encrypted email transmission.
Partner Email Security Assessment
Evaluate partner or vendor email security by checking their MTA-STS enforcement level before sharing sensitive information via email.
Ensure sensitive communications with partners are encrypted in transit.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check MTA-STS configuration forExample: google.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
has_mta_sts | boolean | Whether MTA-STS is configured (DNS record exists) |
dns_record | object | MTA-STS DNS record details (version, id) |
policy | object | Parsed policy file: version, mode (none/testing/enforce), mx patterns, max_age |
mode | string | Policy mode: none, testing, or enforce |
policy_url | string | URL of the MTA-STS policy file |
tls_rpt | object | TLS-RPT (RFC 8460) reporting configuration if present |
issues | array | Configuration issues found |
recommendations | array | Improvement recommendations |
Code Examples
curl "https://api.edgedns.dev/v1/security/mta-sts" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=google.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/mta-sts?domain=google.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/mta-sts',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'google.com'
}
)
data = response.json()
print(data)Read the full MTA-STS Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the MTA-STS Check endpoint live in the playground.