MTA-STS validator

Background

MTA-STS (RFC8461) is a new standard that makes it possible to send downgrade-resistant email over SMTP. In that sense, it is like an alternative to DANE. It does this by piggybacking on the browser Certificate Authority model. This validator checks whether a domain adheres to the RFC. An alternative validator is Hardenize, which checks for much more than just MTA-STS

To enable Strict Transport Security on your mailserver configure the following things:

Check that your host has properly configured STARTTLS
Add a TLSRPT DNS TXT record at _smtp._tls on your domain, e.g. _smtp._tls.example.com, with something like v=TLSRPTv1; rua=mailto:mta-sts@example.com.
Add a MTA-STS DNS TXT record at _mta-sts on your domain, e.g. _mta-sts.example.com, with something like v=STSv1; id=20160831085700Z.
Add a subdomain mta-sts to your domain (note the lack of an underscore) and serve a policy file on https://mta-sts.example.com/.well-known/mta-sts.txt. Here is an example policy file:
```
version: STSv1
mode: enforce
max_age: 10368000
mx: mail.example.com
mx: *.example.net
mx: backupmx.example.com
```
Test this mail domain using this or another validator.

Created by: Ayke (source code). If you encounter any errors, you can create a bug report or alternatively send me a personal message.

MTA-STS validator

Background

Summary

Details

MTA-STS TXT record

SMTP-TLSRPT TXT record

Policy file

Certificate check

DANE ^{[experimental]}

MTA-STS validator

Background

Summary

Details

MTA-STS TXT record

SMTP-TLSRPT TXT record

Policy file

Certificate check

DANE [experimental]

DANE ^{[experimental]}