Suped

Hosted MTA-STS

Enforce TLS encryption for inbound email delivery with Suped's hosted MTA-STS, no web server required.

MTA-STS (Mail Transfer Agent Strict Transport Security) forces other mail servers to use TLS when delivering email to your domain. Suped hosts the MTA-STS policy for you so you don't need to set up a web server.

Why MTA-STS matters

By default, TLS in email delivery is opportunistic - a sending server will try TLS, but if it fails, it falls back to plaintext. This means a man-in-the-middle attacker could downgrade the connection and intercept email content.

MTA-STS tells sending servers that your domain requires TLS. If a secure connection can't be established, the email is not delivered rather than sent in the clear.

How it normally works

MTA-STS requires hosting a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This means you need a web server, a valid TLS certificate, and ongoing maintenance.

How Suped simplifies it

Suped hosts the policy file for you. All you need are two CNAME records in your DNS, and Suped handles the rest.

Setup

  1. Go to Settings > Domains and click your domain
  2. Navigate to the MTA-STS tab
  3. Choose a policy mode:
    • Testing - Failures are reported but email is still delivered. Start here.
    • Enforce - Failures cause email to be rejected. Use this once you're confident everything works.
  4. Set the max age - how long receivers cache the policy (in seconds)
  5. Configure your MX hosts - the mail servers that accept email for your domain
  6. Add two CNAME records in your DNS:
    • _mta-sts.yourdomain.com pointing to the value shown in your dashboard
    • mta-sts.yourdomain.com pointing to the value shown in your dashboard
  7. Suped verifies the CNAMEs and activates the policy

Recommended rollout

  1. Start with Testing mode. This lets you monitor for TLS failures without affecting email delivery. Sending servers that support MTA-STS reporting will send you reports about any connection issues.
  2. Review the reports. Check that all sending servers can establish TLS connections to your MX hosts. Fix any issues with your mail server's TLS configuration.
  3. Switch to Enforce mode. Once you're confident that TLS is working reliably for all inbound email, change the policy mode to Enforce. From this point, email that can't be delivered over TLS will be rejected.
Product
DMARC monitoring
Hosted DMARC
Hosted SPF
Hosted MTA-STS
SPF flattening
Blocklist monitoring
MSP
Pricing
Tools
DMARC record generator
Blocklist checker
Domain health checker
DMARC checker
Email tester
Resources
Docs
Customers
Blog
Guides
Knowledge base
Company
About
Trust and security

Suped

Privacy policy
Terms of service
© 2026 Suped Pty Ltd
LinkedInX