DMARCER
Sign in Get started
Platform

MTA-STS, hosted and kept current

MTA-STS forces inbound mail to be delivered over TLS, shutting down downgrade and interception attacks. The catch is hosting a policy file on HTTPS with a valid certificate, forever, and keeping the MX list in sync. DMARCER does that part for you - you set three CNAMEs and never touch it again.

3

CNAMEs to set – we host the rest

Auto

Certificate issuance & renewal handled

1

Toggle from testing to enforce

The protection is simple. The plumbing isn’t.

By default, email between mail servers is encrypted only if both ends happen to negotiate it – and an attacker sitting in the middle can quietly strip that encryption away, a trick known as a downgrade attack. Once mail drops to plaintext it can be read or tampered with in transit. MTA-STS (Mail Transfer Agent Strict Transport Security) closes that door: it tells the world’s mail servers that messages to your domain must be delivered over a valid, encrypted TLS connection, and to refuse delivery rather than fall back to plaintext.

The idea is simple. The plumbing is not. To switch MTA-STS on you have to publish a small policy file, serve it over HTTPS from a dedicated host, keep a TLS certificate on that host valid forever – one lapse and senders start ignoring your policy – and keep the list of your mail servers (your MX records) inside that file in perfect sync. That’s real infrastructure to stand up and babysit, which is exactly why most domains never turn it on and leave inbound mail exposed.

Why this matters – whoever you are

  • Running your own domains? You get downgrade protection without standing up and maintaining a web host and certificate just for one tiny file.
  • Managing clients? You roll the same protection out across every client without a fleet of policy hosts and certificates to keep alive.

You set three records. We host everything behind them.

There’s no policy file to write, no web server to run, and no certificate to renew. You add three CNAME records to your DNS – pointers that hand the heavy lifting to DMARCER – and from that moment we serve a correct, RFC-compliant policy on HTTPS and manage the TLS certificate end to end, including automatic renewal before it can ever expire.

The policy, served for you

DMARCER publishes an RFC-compliant MTA-STS policy over HTTPS on a host we run. There’s nothing for you to deploy and nothing to keep online.

The certificate, managed end to end

The TLS certificate that the policy depends on is issued and renewed automatically. It can’t silently lapse and quietly switch your protection off.

The MX list, always in sync

Your policy lists the mail servers allowed to receive your mail. When your MX records change, the policy follows automatically – no manual edit, no drift.

Microsoft 365, handled out of the box

Microsoft 365 has its own MX conventions that trip up hand-built policies. DMARCER accounts for them automatically, so a 365 domain is correct from the start.

Start in testing. Move to enforce when you’re ready.

MTA-STS has a deliberate on-ramp. In testing mode, senders honour your policy but report rather than block, so you can confirm everything is delivering correctly before anything is enforced. When you’re confident, you switch to enforce with a single toggle in the app – and senders begin refusing any connection that can’t be encrypted properly.

It’s fully reversible. If you ever need to step back, flip the toggle the other way and you’re returned to testing. There’s no risky cut-over and no point of no return – just a clear path from “watching” to “enforced” that you control.

  • Testing mode to prove delivery first, with no blocking
  • One toggle to move from testing to enforce
  • Fully reversible – step back to testing anytime
  • No infrastructure cut-over and no point of no return

One layer of genuine end-to-end enforcement

MTA-STS protects mail coming in to your domain. On its own that’s only part of the picture. Paired with DMARC – which stops others sending as you – and TLS-RPT – which reports back when a sender couldn’t establish a secure connection, so a problem with your policy can’t hide – you get genuine, end-to-end enforcement rather than a single control in isolation. DMARCER tracks all three together so you can see exactly how far along you are. See the enforcement journey →

If you run your own domains

You get downgrade protection that used to need a spare web host and a watched certificate – reduced to three DNS records and one toggle, with nothing left to maintain.

If you manage clients

You roll MTA-STS out across every client from one place, with no per-client policy hosts or certificates to keep alive – turning a fiddly project into something you can offer at scale.

Where this fits in the platform

Hosted SPF →

Keep SPF valid under the lookup limit.

DNS remediation →

The engine that sets the records.

Enforcement journey →

DMARC, MTA-STS and TLS-RPT together.

Integrations →

DNS connectors for managing clients.

Is your inbound mail protected from downgrade?

Run a free check to see your MTA-STS status – then let DMARCER host the policy and certificate for you.

Check your domain
Free domain check

Check your domain security

See how your domain's security compares to your competitors.