Part 4 of a five-part email deliverability playbook.

Short one, because this is a short decision.

MTA-STS in mode: testing is the email equivalent of a smoke detector with the battery out. The wiring is done (DNS record published, policy file hosted, the hard part behind you), but when a mail server can’t make a secure TLS connection to you, testing mode shrugs and lets the mail through anyway. It reports the failure. It prevents nothing.

That’s by design. Testing mode exists so you can find out what would break before you make breakage possible. The question is just: have you actually looked?

The pre-flight check

  1. Make sure TLS-RPT is on. A TXT record at _smtp._tls.yourdomain.com with a rua= address. Without it, you’re in testing mode with no test results: all caution, no information. (If you only do one thing after reading this, do this.)
  2. Read a couple weeks of reports. TLS-RPT reports are JSON summaries of who tried to deliver to you over TLS and whether it worked. You’re looking for failures from legitimate sources: a partner’s mail server with an old TLS stack, an internal relay with a certificate that doesn’t match your MX hostnames.
  3. Triage what you find. Certificate-mismatch failures are usually on your side (an MX host not covered by its cert, so fix the cert). Negotiation failures from random servers you don’t recognize are usually fine to ignore. Enforcing against servers that can’t do modern TLS is the entire point.
  4. Clean for two weeks? Flip it. Change mode: testing to mode: enforce in the policy file, and bump the id= in the DNS record so receivers re-fetch it. That last part is the step everyone forgets. The id is how the world knows your policy changed.

Why bother

Without enforcement, an attacker positioned between a sender and your mail server can strip the encryption negotiation and read or alter mail in transit. That’s a downgrade attack. Enforce mode closes that. Testing mode just writes it down.

If your reports have been clean and you’ve been sitting in testing mode for months anyway, that’s not caution anymore. That’s a setting nobody remembered to change. Flip it.