~/tools / dns-explainer
DNS Record Explainer
Paste any DNS record and get a plain-English breakdown - every tag explained, risky settings flagged, related tools suggested. No domain needed.
[ OK ]
Detected: MTA-STS
input
v=STSv1; id=20260417T000000;
[ explanation · ai ]
[ breakdown ]
This is an MTA-STS policy record (published as a TXT record at _mta-sts.
• v=STSv1 — Protocol version. Must be exactly this string; only STSv1 exists today.
• id=20260417T000000 — Policy identifier. Timestamp format (YYYYMMDDThhmmss UTC). Used by receiving MTAs to cache-bust: when you change your policy, increment this ID so remote servers know to fetch the new version instead of using their cached copy. This one expires April 17, 2026.
[ flags ]
• Missing required fields. A valid MTA-STS TXT record must also include:
– mode=enforce|testing|none — Controls how strictly violations are handled (enforce = reject, testing = log only, none = policy disabled).
– max_age=seconds — How long receivers cache this policy (typically 604800 for 1 week, max 31536000 for 1 year).
• This fragment alone won't work. The record is incomplete.
• Valid example:
```
v=STSv1; id=20260417T000000; mode=testing; max_age=604800
```
Also required: a separate .well-known/mta-sts.txt file on your domain (over HTTPS) containing the actual policy rules (recipient domain blocks, TLS requirements, etc.). The TXT record just points to it.
[ context ]
MTA-STS prevents downgrade attacks on SMTP. Without it, an attacker can strip STARTTLS from the connection and force plaintext delivery. This TXT record tells other mail servers your domain has an MTA-STS policy and when it was last updated; they fetch the full policy from your HTTPS endpoint and enforce it (or test it, depending on mode). Missing mode= or max_age= means receivers can't interpret the record, so the policy won't activate at all.
[ related ]
// AI explainer uses Claude Haiku 4.5. Same record pasted twice = served from 7-day cache. Never leaves our servers - no analytics/telemetry on paste content.