Does your domain enforce TLS encryption for inbound email via MTA-STS?
Checks that you publish a policy requiring senders to encrypt mail to your servers, not just sign it.
What this signal tests
MTA-STS, or Mail Transfer Agent Strict Transport Security, tells other mail servers that messages destined for your domain must be delivered over a properly encrypted, certificate-validated TLS connection. We look for two things. First, a DNS TXT record at _mta-sts.yourdomain.com that signals you have a policy. Second, an HTTPS-hosted policy file at mta-sts.yourdomain.com/.well-known/mta-sts.txt with mode=enforce.
Why it matters for your visibility in AI
MTA-STS completes the email-stack trust picture. SPF, DKIM, and DMARC make sure mail leaving your domain can be verified. MTA-STS makes sure mail arriving at your domain cannot be silently intercepted by a downgrade attack. AI systems that evaluate full operational maturity treat the combination as a single signal: domains with both outbound authentication and inbound transport security stand out. The consequence of missing MTA-STS is rarely catastrophic on its own. It is a low-weight, advanced signal aimed at organisations that already have DMARC at enforcement. But for sectors where confidential email is routine, such as healthcare, legal, and financial services, the absence is a meaningful gap. AI trust scorers in those sectors will note it.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| Both TXT and policy reachable; mode=enforce. |
How we test it
We perform two checks. First, a DNS TXT query at _mta-sts.yourdomain.com to confirm the record exists and contains v=STSv1 and an id= value. Second, an HTTPS GET to https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. We parse the response to confirm it lists mode=enforce, your accepting mail servers (the mx: lines), and a max_age. Both pieces must be in place for the signal to pass.
Show technical detection method
DNS TXT _mta-sts.{domain}; GET https://mta-sts.{domain}/.well-known/mta-sts.txt; parse mode=.
If your site fails: how to fix it
- Decide on the MX hostnames you accept mail at. If you use Google Workspace, these will be the aspmx.l.google.com family. If Microsoft 365, the yourdomain-com.mail.protection.outlook.com pattern. Your provider documents the exact values.
- Create the policy file content with `version: STSv1`, `mode: enforce`, one `mx: ...` line per accepting host, and `max_age: 604800`. Save it as mta-sts.txt.
- Host the file at the URL https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The mta-sts subdomain must have its own valid TLS certificate. You can use a static host, a redirect from your main site, or your CDN's edge rules.
- Open your DNS console at your registrar (Cloudflare, GoDaddy, Namecheap, etc.) and add a TXT record at _mta-sts.yourdomain.com with value `v=STSv1; id=20260522T000000;` where the id is a unique timestamp you update each time you change the policy.
- Optionally, add a TLS-RPT record at _smtp._tls.yourdomain.com pointing to an email address that will receive failure reports. This is not required for the signal but is useful for troubleshooting.
- Wait a few minutes for DNS to propagate and re-run the AI Ready Test scan.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | low |
| Category | Trust & Provenance |
Primary sources
Related signals
Frequently asked questions
Will I need IT help to fix this?
Yes, for the policy file hosting. Publishing a static file at a specific subdomain with its own TLS certificate is a small but specific piece of infrastructure work. A developer or hosting admin can typically complete it in an hour.
What if my email is hosted by Google Workspace or Microsoft 365 - is this already done for me?
No. Both providers accept MTA-STS-enforced mail correctly, but they do not host the policy file or publish the DNS record for your domain. You must do both yourself. The MX values to list in the policy are documented in their setup guides.
Could enabling MTA-STS cause some senders to fail to deliver?
Very rarely. You can start in mode=testing rather than mode=enforce, which collects failure reports without blocking delivery. After a week or two with no anomalies, switch to enforce. Mainstream senders all support MTA-STS; only a handful of legacy systems may have issues.
How long until the change propagates?
DNS publication is minutes. The HTTPS file is immediate once uploaded. Sending servers cache the policy for the max_age you set, so a change to your policy may take up to that long to be re-fetched by everyone.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.