MTA-STS & TLS-RPT Generator

Enforce TLS on inbound email and get reports when it fails

MTA-STS & TLS-RPT Generator

Enter your domain and mail details to generate the MTA-STS policy file and both DNS records needed to enforce and monitor TLS on inbound mail.

Configuration
Domain
Policy mode
Failures are reported via TLS-RPT but mail is still delivered. Recommended starting point.
Allowed MX hosts
Every MX record of the domain must match one of these patterns, or delivery fails in enforce mode.
Policy cache (max_age)
TLS-RPT reporting
Receivers send daily reports about TLS failures here. Separate multiple addresses with commas.
Nothing generated yet

Fill in your domain and mail details above, then click Generate Records.

Tool Features

Everything you need to deploy MTA-STS and TLS reporting

Enforce TLS on Mail

MTA-STS tells senders to require TLS, blocking downgrade and MITM attacks

TLS Reporting Built In

Generates the TLS-RPT record so you get daily reports of TLS failures

Everything You Need

Policy file plus both DNS records, ready to publish

Safe Rollout

Start in testing mode, then switch to enforce with confidence

Learn more

Guides & explainers related to this tool

Guide

How to Set Up MTA-STS

Step-by-step: publish the policy file, DNS records, and move from testing to enforce.

Article

What Is MTA-STS?

How MTA-STS forces inbound email over valid TLS, and what each policy field means.

Article

What Is TLS-RPT?

How SMTP TLS reporting gives you daily visibility into TLS failures.

Related Tools
Discover similar utilities
Authentication

MTA-STS & TLS-RPT Checker