DNS / email · Check
MTA-STS missing — encrypting mail transport for inbound mail
MTA-STS (RFC 8461) tells sending mail servers that your domain requires TLS for inbound connections, defending against TLS downgrade attacks at the SMTP layer. It's a DNS TXT record plus a small policy file at `mta-sts.<domain>/.well-known/mta-sts.txt`.
Real-world risk
Without MTA-STS, opportunistic TLS for inbound mail relies on per-connection behavior; downgrade risk for SMTP is higher.
Fix steps (in order)
- Publish _mta-sts TXT with v=STSv1 and an id=, then host the policy JSON at https://mta-sts.example.com/.well-known/mta-sts.txt (replace with your domain).
Topic explainer
DMARC, SPF, and DKIM explained: the email authentication trio →
A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (dns_mta_sts_missing) clears once the externally-observable signal is in place.