Test SMTP server connectivity on ports 25, 465, and 587. Understand the difference between relay and submission ports, STARTTLS vs implicit TLS, and what certificate warnings mean.

Complete reference for SMTP bounce codes. Understand what 550 5.7.1, 554 5.7.1, 421 4.7.0 and other email error codes mean and how to fix them.

MTA-STS requires two components working together: a DNS TXT record at _mta-sts.example.com and a policy file served over HTTPS at mta-sts.example.com/.well-known/mta-sts.txt. When either component is missing or unreachable, MTA-STS enforcement fails silently — sending servers cannot verify your TLS policy, and your domain loses the protection MTA-STS is designed to provide.

Your MTA-STS policy file lists mx: entries that don't match your domain's actual MX records. Sending servers that enforce MTA-STS compare these two lists — if an MX host isn't covered by the policy, the sender may skip that server or refuse delivery entirely. This is especially dangerous after mail provider migrations or MX record changes.

MTA-STS forces sending servers to use TLS when delivering email to your domain, closing the gap left by opportunistic STARTTLS. This guide covers the DNS TXT record, the HTTPS-hosted policy file, testing vs enforce mode, and common deployment mistakes.

Your MTA-STS deployment has configuration errors in the DNS TXT record or the policy file. These range from a missing id field that breaks policy caching, to an unrecognized version string that invalidates the entire policy. Each issue weakens or disables MTA-STS enforcement, leaving your domain's email transport security incomplete.