MTA-STS lets you require secure connections for email delivered to your domain. It protects against attacks that try to downgrade an encrypted SMTP connection or redirect mail to an unauthorized server.
With hosted MTA-STS, DMARCwise publishes and maintains the MTA-STS policy for your domain. You can manage the policy from the dashboard without running a separate HTTPS server or maintaining its certificate.

To learn how the protocol works, read our Introduction to MTA-STS.
Availability
- Hosted MTA-STS is included with all paid plans. It is not available in the free plan.
Permissions
- All team members can view the hosted MTA-STS settings for the domains they can access.
- Only team members with permission to manage domains can enable, change or disable hosted MTA-STS.
What DMARCwise manages
An MTA-STS setup has two public parts:
- A discovery record at
_mta-sts.{your domain}. Its ID changes whenever a new policy is published, telling sending servers to fetch the policy again. - A policy file at
https://mta-sts.{your domain}/.well-known/mta-sts.txt.
To use the hosted service, you create two CNAME records that point these names to DMARCwise. We then take care of:
- Publishing the discovery record and policy in the correct order.
- Serving the policy over HTTPS.
- Issuing and renewing the TLS certificate for the policy host.
- Detecting the MX servers used by your domain and keeping the policy updated when they change.
- Monitoring the DNS records and certificate and notifying you when they need attention.
You remain in control of the policy mode, cache duration and any additional MX servers that need to be allowed.
Hosted MTA-STS vs self-hosting
Hosted MTA-STS is the simplest option, letting you manage the policy from the DMARCwise dashboard. It also avoids having to operate a dedicated HTTPS host, update the policy and coordinate the DNS updates yourself when the list of MX hosts changes.
You can still host MTA-STS independently. The protocol works in the same way, but you are responsible for the policy file, HTTPS certificate, DNS record and safe update order. See How to set up MTA-STS for the manual procedure.
MTA-STS and TLS reporting
We strongly recommend setting up SMTP TLS reporting before enforcing an MTA-STS policy.
TLS reports show whether sending servers encountered certificate, encryption or MX validation failures while delivering email to your domain. Start with the testing mode, review the reports and move to enforce only after confirming that your mail servers are ready.
Next steps
- Set up hosted MTA-STS.
- Manage your policy and MX servers.
- Read how disabling and retirement work before removing MTA-STS.
