Before you set up MTA-STS for Gmail, check the current MTA-STS configuration for your Gmail domains. You can find out which domains do not have a configuration, or have an invalid configuration.
Check these configurations for your domains:
- MTA-STS DNS TXT record (_mta-sts)
- MTA-STS policy file
- TLS reporting DNS TXT record (_smtp._tls)
There are two ways to check your MTA-STS configuration in Google Workspace:
- Check status and get suggested configurations in Gmail advanced settings: Check which domains have a valid MTA-STS configuration, and which have missing or invalid configurations. For missing or invalid configurations, we suggest valid configurations to use in your policy file and DNS TXT records.
Recommended: If you’ve never used MTA-STS in your domain, we recommend this option so you can get valid configurations for your domain.
- Check status only on the security health page: Check which domains have a valid MTA-STS configuration, or have an invalid or missing configuration. The security health MTA-STS page shows status only. It does not show suggested configurations.
Important: To use this option, your Google Workspace edition must include security health. Learn more about the security health page and supported Google Workspace editions.
Check MTA-STS status and get suggested configurations
Important: Depending on your MTA-STS configuration, these steps might not show all configuration issues for the selected domain. After you fix any reported configuration issues, check the MTA-STS configuration again to verify all issues are resolved.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceGmailCompliance.
- Scroll to MTA-STS and click Validate your MTA-STS configuration here. The domains for your organization are displayed.
- To view the current MTA-STS configuration for a domain, click the domain name. The left column shows these current configurations for the domain:
- MTA-STS DNS TXT record (_mta-sts)
- MTA-STS policy file
- TLS Reporting DNS TXT record (_smtp._tls)
If there's an invalid configuration:
- The left column has an error message describing the problem.
- The right column has a suggested configuration.
If there's a missing configuration:
- The left column shows Not Configured.
- The right column has a suggested configuration.
- To fix configuration issues:
- DNS TXT records (_mta-sts and _smtp._tls): Follow the steps in Turn on MTA-STS and TLS reporting, using the suggested configuration in the right column.
- MTA-STS policy: Follow the steps in Create an MTA-STS policy, using the suggested configuration in the right column. Every time you change the MTA-STS policy, you must also:
Check MTA-STS status only
To complete these steps, you must be signed in as an administrator with an account that includes security health. Learn about admin privileges for the security center.
Important: The MTA-STS status check displays only one issue at a time for each domain, even if the domain has more than one issue. After you fix any issues, check the MTA-STS configuration again to verify all issues are resolved.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Go to SecuritySecurity HealthMTA-STS.
- The MTA-STS configuration status for your Google Workspace domains is in the Status column:
- Correctly configured: All MTA-STS configurations for specified domain are valid.
- Configured for all domains: All domains in your organization have valid MTA-STS configurations.
- Missing or misconfigured: One or more domains do not have an MTA-STS configuration, or have an invalid configuration.
- To check which domains have a missing or invalid MTA-STS configurations, click the domains link in the status message.
- To fix configuration issues:
- DNS TXT records (_mta-sts and _smtp._tls): Add or update one or both DNS TXT records, following the steps in Turn on MTA-STS and TLS reporting.
- MTA-STS policy: Create or update the MTA-STS policy, following the steps in Create an MTA-STS policy. Every time you change the MTA-STS policy, you must also: