MTA-STS forces TLS-secured delivery to your inbound mail servers and blocks plain-text fallback attacks. Five-minute setup.
What you publish
- A TXT record at _mta-sts.yourdomain.com containing v=STSv1; id=YYYYMMDDHHMMSS;
- A web page at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with mode (enforce / testing / none), max_age, and your inbound MX hosts
ShieldMarc auto-publishes for you
Domains we monitor get an auto-generated mta-sts.txt served from our edge with the right MX hosts (we read your MX records on a 5-minute cache). You publish the TXT record and a CNAME for mta-sts.yourdomain.com pointing at us. Done.
When to start in testing mode
If you have any unusual inbound flows (third-party email security gateways, list servers, etc.), start with mode=testing for two weeks. ShieldMarc shows TLS-RPT reports in the dashboard - when they're clean, flip to enforce.