Increase email security with MTA-STS and TLS reporting

1. Check your MTA-STS configuration

Increase email security with authentication and encryption

Before you set up MTA-STS for Gmail, check the current MTA-STS configuration for your Gmail domains. You can find out which domains do not have a configuration, or have an invalid configuration.

Check these configurations for your domains:

There are two ways to check your MTA-STS configuration in Google Workspace:

  • Check status and get suggested configurations in Gmail advanced settings: Check which domains have a valid MTA-STS configuration, and which have missing or invalid configurations. For missing or invalid configurations, we suggest valid configurations to use in your policy file and DNS TXT records.

    Recommended: If you’ve never used MTA-STS in your domain, we recommend this option so you can get valid configurations for your domain.

  • Check status only on the security health page: Check which domains have a valid MTA-STS configuration, or have an invalid or missing configuration. The security health MTA-STS page shows status only. It does not show suggested configurations.

    Important: To use this option, your Google Workspace edition must include security health. Learn more about the security health page and supported Google Workspace editions.

Check MTA-STS status and get suggested configurations

Important: Depending on your MTA-STS configuration, these steps might not show all configuration issues for the selected domain. After you fix any reported configuration issues, check the MTA-STS configuration again to verify all issues are resolved.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenCompliance.
  3. Scroll to MTA-STS and click Validate your MTA-STS configuration here. The domains for your organization are displayed.
  4. To view the current MTA-STS configuration for a domain, click the domain name. The left column shows these current configurations for the domain:
    • MTA-STS DNS TXT record (_mta-sts)
    • MTA-STS policy file
    • TLS Reporting DNS TXT record (_smtp._tls)

    If there's an invalid configuration:

    • The left column has an error message describing the problem.
    • The right column has a suggested configuration.

    If there's a missing configuration:

    • The left column shows Not Configured.
    • The right column has a suggested configuration.
  5. To fix configuration issues:

Check MTA-STS status only

To complete these steps, you must be signed in as an administrator with an account that includes security health. Learn about admin privileges for the security center.

Important: The MTA-STS status check displays only one issue at a time for each domain, even if the domain has more than one issue. After you fix any issues, check the MTA-STS configuration again to verify all issues are resolved.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Securityand thenSecurity Healthand thenMTA-STS.
  3. The MTA-STS configuration status for your Google Workspace domains is in the Status column:
    • Correctly configured: All MTA-STS configurations for specified domain are valid.
    • Configured for all domains: All domains in your organization have valid MTA-STS configurations.
    • Missing or misconfigured: One or more domains do not have an MTA-STS configuration, or have an invalid configuration.
  4. To check which domains have a missing or invalid MTA-STS configurations, click the domains link in the status message.
  5. To fix configuration issues:

Next steps

Create an MTA-STS policy

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
11813338757397175115
true
Search Help Center
true
true
true
true
true
73010
false
false