methodology / Security & Infrastructure / #24
MTA-STS & TLS-RPT
#24 · Recommended · Web Quality · weighted · Security & Infrastructure · weight 1.3% · impl implemented · method v1.2.0
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
- Base weight
- 0.6 applied to every site type unless overridden below
- Why this weight
- MTA-STS + TLS-RPT enforce TLS for inbound mail. Moderate baseline.
Per-site-type overrides
| Site type | Weight | Δ vs base |
|---|---|---|
| E-commerce | 0.9 | +0.3 |
| News / Publisher | 0.8 | +0.2 |
| Government | 1.0 | +0.4 |
Site types not listed inherit the base weight.
What this means for your business
These settings tell other mail servers they must use encryption when delivering email to you, so an attacker on the network can't read or quietly redirect it. Most small businesses don't have this turned on yet, and the bigger your domain gets, the more it matters.
Plain title: Keeps your email private in transit
What we measure
MTA-STS forces incoming mail to use TLS encryption. Without it, mail can be downgraded to plaintext by attackers. TLS-RPT gives you reports when something goes wrong.
How to improve your score
Publish `_mta-sts.<domain>` TXT record + `mta-sts.<domain>/.well-known/mta-sts.txt` policy file. Add `_smtp._tls.<domain>` TXT for reporting.
Implementation
stale · v1 · seeded — no connector publish yet · source: freshcoat-discovery/src/connectors/dns-email-security.ts:scoreMtaStsTlsRpt
Detection method
Gates on MX record presence — domains that don't receive mail return null (n/a). When MX present, queries _mta-sts.<domain> and _smtp._tls.<domain> TXT records via DoH, then fetches https://mta-sts.<domain>/.well-known/mta-sts.txt to confirm policy is reachable.
Detection sources
- DNS DoH (TXT for _mta-sts and _smtp._tls)
- HTTPS GET on mta-sts.<domain>/.well-known/mta-sts.txt
Scoring bands · soft ladder
| Score | Condition |
|---|---|
| 100 | STS record + reachable policy + TLS-RPT |
| 60 | STS record + reachable policy (no TLS-RPT) |
| 75 | STS record but policy fetch 404s (record without enforcement) |
| 30 | MX present but no STS record (best-practice gap) |
| n/a | no MX records — MTA-STS irrelevant for non-mail-receiving domains |
Evidence-key dictionary
What every notes string the connector emits means.
Surfaces in the per-domain dossier evidence column.
full_stack- STS record + policy + TLS-RPT all in place.
sts_with_policy- STS record and policy reachable; TLS-RPT missing.
sts_record_no_policy- STS TXT record present but the policy file 404s.
no_mta_sts_record- MX present but no STS record published.
no_mx_no_mta_sts_relevance- Domain has no MX records — factor n/a.
Applicability
Recommended. Only meaningful for domains that receive mail. Gated to null when MX is absent (added Apr 29 after Vercel-class sites were false-failing despite not being mail-receiving).
Changelog
- 2026-04-29 · seed Initial seed from MethodologyRegistry bootstrap.
Facts
When this applies
MTA-STS and TLS-RPT require DNS TXT records the site owner can't publish on this platform.
- Marked n/a when the detected platform doesn't support canEditDns (e.g., Squarespace and Wix can't set custom HTTP headers, so factor #4 becomes n/a there).
Scoring
Scoring formulas are versioned with the methodology. The current method (v1.2.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Version history
| Version | Change | Date |
|---|---|---|
| v1.2.0 | Factor introduced. Status: live. Scoring impl: implemented. | 2026-04-28 |