~/tools / dns-explainer

DNS Record Explainer

Paste any DNS record and get a plain-English breakdown - every tag explained, risky settings flagged, related tools suggested. No domain needed.

paste_record
// detects SPF / DKIM / DMARC / BIMI / CAA / MX / MTA-STS / TLS-RPT / generic TXT. Paste the record value - no quotes needed.
[ OK ] Detected: MTA-STS
input
v=STSv1; id=20260417T000000;
[ explanation · ai ]
[ breakdown ]

This is an MTA-STS policy record (goes in DNS as a TXT record at _mta-sts.). Here's what each part does:

v=STSv1 — Protocol version. Must be exactly "STSv1". Tells receiving mail servers this is a standards-compliant MTA-STS policy, not some custom variant.

id=20260417T000000 — Policy ID, a timestamp in YYYYMMDDTHHmmss format. This one expires in 2026. The ID serves two purposes: (1) receiving servers cache your policy and check this ID to know when to refresh, (2) if you change your policy, you bump the ID so servers immediately fetch the new version instead of using stale cached rules.
[ flags ]

Missing critical fields. A valid MTA-STS policy record requires at least:
v=STSv1 ✓
id=
mode=enforce|testing|none — **absent**

Without the mode field, this record is unparseable. Servers will reject it. You need to add one:

mode=enforce — Reject mail if it can't connect securely to your policy-specified MX hosts.
mode=testing — Accept mail anyway, but log policy violations (use this first to debug).
mode=none — No enforcement; policy is informational only (rarely used).

Also: you need a separate policy file at https:///.well-known/mta-sts.txt that defines which MX hosts accept secure connections and max_age (how long to cache). The DNS record just advertises that the policy exists.
[ context ]

MTA-STS prevents mail downgrade attacks. Without it, an attacker can intercept your SMTP traffic and strip STARTTLS, reading/modifying messages in transit. With MTA-STS, mail servers are required to connect to your MX hosts over TLS only (in enforce mode) or will report violations (testing).

This record is critical if you care about mail confidentiality. Gmail, Yahoo, and other large providers check for it. If you publish it in enforce mode but misconfigure your MX hosts, legitimate mail bounces.
[ related ]
→ /blog/mta-sts-explained
// AI explainer uses Claude Haiku 4.5. Same record pasted twice = served from 7-day cache. Never leaves our servers - no analytics/telemetry on paste content.