Generator

MTA-STS Policy Generator

Build an MTA-STS policy file plus the DNS TXT record that enforces TLS for inbound email.

Domain

Mode

Start with testing, monitor TLS-RPT, then move to enforce.

MX patterns (one per line)

Use wildcards for subdomains: *.mail.example.com

max_age (seconds)

604800 = 1 week. Spec allows up to 31557600 (1 year).

Policy file (serve at well-known path)

version: STSv1
mode: testing
mx: mail.example.com
mx: *.mail.example.com
max_age: 604800

DNS TXT record

Host:  _mta-sts.<your-domain>
Type:  TXT
Value: v=STSv1; id=1779913769

Publish at

https://mta-sts.<your-domain>/.well-known/mta-sts.txt

Pair with TLS-RPT to receive delivery failure reports.