Email health

MTA-STS

Forces inbound mail to your domain over TLS so an attacker can't downgrade the connection mid-flight. Pair it with TLS-RPT to find out when someone tries.

Authority: IETF
Version: RFC 8461
Jurisdiction: Global
Source: datatracker.ietf.org
Last reviewed: 2026-04-28
Last verified: pending

What it is

Mail Transfer Agent Strict Transport Security — RFC 8461. A policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt plus a `_mta-sts` DNS TXT record telling sending MTAs that mail to this domain must arrive over a TLS connection with a valid certificate.

Why it matters

Without MTA-STS a STARTTLS handshake can be silently stripped by anyone on the wire and your inbound mail goes plaintext. The policy is a one-time setup; the reporting half (TLS-RPT) tells you when an attempt failed.

Who it applies to

Domains receiving email at scale, especially those handling sensitive correspondence.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

#	Factor	Status
24	MTA-STS & TLS-RPT	planned

0 of 1 supporting factors are currently collected. Sites where the remaining 1 haven't been measured will show as partial or unknown on this standard until the data lands.

Related standards

See also: DMARC , DKIM , SPF , TLS-RPT

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

DANE for SMTP 1 shared factor Security DNSSEC-anchored TLSA records that pin the certificate your mail server presents. The other (older, stricter) path to authenticated mail-in-transit alongside MTA-STS.

Other references

rfc RFC 7672 — DANE for SMTP (alternative path)