MTA-STS (SMTP MTA Strict Transport Security, RFC 8461) lets a domain declare that inbound SMTP MUST use TLS with a valid certificate matching the announced MX hosts. Without MTA-STS, a network attacker can strip the STARTTLS upgrade ("STRIPTLS") and intercept mail in cleartext -- the same downgrade attack HSTS was designed to prevent for HTTPS.
The check has two parts:
- A TXT record at
_mta-sts.<domain>carries the policy ID. The ID changes when the policy changes; senders use it to detect rotation without re-fetching the policy file every time. - An HTTPS GET to
https://mta-sts.<domain>/.well-known/mta-sts.txtreturns the actual policy:version,mode(enforce,testing, ornone), allowedmxhosts (with wildcard support), andmax_age(cache lifetime in seconds, max ~1 year per RFC).
A common silent misconfiguration is having only one half (just the DNS record, just the policy file) -- senders ignore the policy entirely. mode: testing reports failures via TLS-RPT but doesn't enforce; promote to mode: enforce after monitoring confirms no legitimate sender is broken.