Before you set up MTA-STS for Gmail, check the current MTA-STS configuration for your Gmail domains. You can find out which domains do not have a configuration, or have an invalid configuration.
Check these configurations for your domains:
- MTA-STS DNS TXT record (_mta-sts)
- MTA-STS policy file
- TLS reporting DNS TXT record (_smtp._tls)
There are two ways to check your MTA-STS configuration in Google Workspace:
- Check status and get suggested configurations in Gmail advanced settings: Check which domains have a valid MTA-STS configuration, and which have missing or invalid configurations. For missing or invalid configurations, we suggest valid configurations to use in your policy file
and DNS TXT records
.
Recommended:If you’ve never used MTA-STS in your domain, we recommend this option so you can get valid configurations for your domain.
- Check status only on the security health page:Check which domains have a valid MTA-STS configuration, or have an invalid or missing configuration. The security health MTA-STS page shows status only. It does not show suggested configurations.
Important:To use this option, your Google Workspace edition must include security health. Learn more about the security health page and supported Google Workspace editions.
Check MTA-STS status and get suggested configurations
Important:Depending on your MTA-STS configuration, these steps might not show all configuration issues for the selected domain. After you fix any reported configuration issues, check the MTA-STS configuration again to verify all issues are resolved.
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go to Menu Apps > Google Workspace > Gmail > Compliance .
Requires having the Gmail Settings administrator privilege .
- Scroll to MTA-STSand click Validate your MTA-STS configuration here. The domains for your organization are displayed.
- To view the current MTA-STS configuration for a domain, click the domain name. The left column shows these current configurations for the domain:
- MTA-STS DNS TXT record (_mta-sts)
- MTA-STS policy file
- TLS Reporting DNS TXT record (_smtp._tls)
If there's an invalid configuration :
- The left column has an error message describing the problem.
- The right column has a suggested configuration.
If there's a missing configuration :
- The left column shows Not Configured.
- The right column has a suggested configuration.
- To fix configuration issues:
- DNS TXT records (_mta-sts and _smtp._tls): Follow the steps in Turn on MTA-STS and TLS reporting , using the suggested configuration in the right column.
- MTA-STS policy:Follow the steps in Create an MTA-STS policy , using the suggested configuration in the right column. Every time you change the MTA-STS policy, you must also:
Check MTA-STS status only
To complete these steps, you must be signed in as an administrator with an account that includes security health. Learn about admin privileges for the security center .
Important:The MTA-STS status check displays only one issue at a time for each domain, even if the domain has more than one issue. After you fix any issues, check the MTA-STS configuration again to verify all issues are resolved.
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go to Security Security Health MTA-STS.
- The MTA-STS configuration status for your Google Workspace domains is in the Statuscolumn:
- Correctly configured:All MTA-STS configurations for specified domain are valid.
- Configured for all domains:All domains in your organization have valid MTA-STS configurations.
- Missing or misconfigured:One or more domains do not have an MTA-STS configuration, or have an invalid configuration.
- To check which domains have a missing or invalid MTA-STS configurations, click the domains link in the status message.
- To fix configuration issues:
- DNS TXT records (_mta-sts and _smtp._tls):Add or update one or both DNS TXT records, following the steps in Turn on MTA-STS and TLS reporting .
- MTA-STS policy:Create or update the MTA-STS policy, following the steps in Create an MTA-STS policy . Every time you change the MTA-STS policy, you must also:
