You want to force incoming mail to your domain to use encrypted, certificate-validated TLS — not opportunistic STARTTLS that silently downgrades — but the setup has two separate moving parts that are easy to get half-right.
MTA-STS (RFC 8461) needs both pieces published correctly before it does anything: a DNS TXT record at _mta-sts.<yourdomain> with the value v=STSv1; id=<a-short-string>, and a policy file served over HTTPS at exactly https://mta-sts.<yourdomain>/.well-known/mta-sts.txt — note that's a separate mta-sts. hostname, not your bare domain. The policy file declares the mode (enforce, testing or none) and the MX hosts allowed to receive your mail. Any time you change the policy file's contents, the id field in the DNS TXT record must also change — senders cache the policy and only refetch it when they see a new id, so editing the file without bumping id means senders keep using the stale cached version. Source: RFC 8461 §3 “The _mta-sts TXT Record” and §3.1 “Policy File” · verified 2026-07-17.
_mta-sts.yourdomain.com → v=STSv1; id=2026071700Z (any string that changes on every update works — a timestamp is the common convention).https://mta-sts.yourdomain.com/.well-known/mta-sts.txt — this requires a valid TLS certificate for the mta-sts. subdomain itself.mode: testing while you confirm no legitimate mail gets rejected, then switch to mode: enforce (see the dedicated page below on when that's safe).id value in the DNS record in the same change — forgetting this is the most common reason a policy update appears to do nothing.No. DMARC authenticates who is allowed to send as your domain; TLS-RPT and MTA-STS protect how mail travels in transit between servers. They're complementary, independent DNS records — not substitutes for each other.
They work well together but are independent: TLS-RPT is reporting-only (you find out about failures), MTA-STS is enforcement (failing connections get blocked in enforce mode). Most domains set up TLS-RPT first to see what's actually happening before committing to MTA-STS enforce mode.
TLS-RPT can't break anything — it's report-only. MTA-STS in enforce mode can, if your policy file lists the wrong MX hosts or your mta-sts. subdomain's certificate is invalid — which is exactly why RFC 8461 and every practical guide recommend a testing-mode period first.