MTA-STS + TLS-RPT Checker
MTA-STS forces incoming SMTP over TLS. TLS-RPT gets you daily reports when senders fail that TLS. Check both for any domain that receives mail.
About this check
The attack MTA-STS blocks
A bad actor on your upstream network intercepts the initial mail connection and strips the STARTTLS handshake. Sender falls back to plain text, reads your mail in transit. MTA-STS forbids the fallback, senders who honour MTA-STS refuse to deliver in plain text.
Roll-out tip
Start with mode=testing for a week. Watch your TLS-RPT inbox. When reports are clean, flip to mode=enforce.
FAQ
Operator questions, answered.
What is MTA-STS?+
Mail Transfer Agent Strict Transport Security. It tells other mail servers to ALWAYS use TLS when delivering mail to you. Without it, attackers can downgrade the connection and intercept mail.
What is TLS-RPT?+
TLS Reporting. Senders email you a daily report whenever TLS delivery to your domain fails. Gives you visibility into misconfigured senders and active attacks.
How hard is this to set up?+
Fifteen minutes. One DNS TXT record, one static file served over HTTPS at a well-known URL, and optionally one more TXT record for TLS-RPT.
MTA-STS + TLS-RPT Checker is one of 25 checks.
A free CQwerty scan covers TLS, DMARC, SPF, DNS, headers, WHOIS, and breach exposure in a single 90 second submission.