MTA-STS + TLS-RPT Checker
MTA-STS forces incoming SMTP over TLS. TLS-RPT gets you daily reports when senders fail that TLS. Check both for any domain that receives mail.
The attack MTA-STS blocks
A bad actor on your upstream network intercepts the initial mail connection and strips the STARTTLS handshake. Sender falls back to plain text, reads your mail in transit. MTA-STS forbids the fallback — senders who honour MTA-STS refuse to deliver in plain text.
Roll-out tip
Start with mode=testing for a week. Watch your TLS-RPT inbox. When reports are clean, flip to mode=enforce.
FAQ
Frequently asked questions
What is MTA-STS?+
Mail Transfer Agent Strict Transport Security. It tells other mail servers to ALWAYS use TLS when delivering mail to you. Without it, attackers can downgrade the connection and intercept mail.
What is TLS-RPT?+
TLS Reporting. Senders email you a daily report whenever TLS delivery to your domain fails. Gives you visibility into misconfigured senders and active attacks.
How hard is this to set up?+
Fifteen minutes. One DNS TXT record, one static file served over HTTPS at a well-known URL, and optionally one more TXT record for TLS-RPT.
MTA-STS + TLS-RPT Checker is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →