# MTA-STS API
> Inspect a domain's SMTP transport-security posture — whether mail servers are required to deliver inbound mail over authenticated TLS, protecting it from downgrade and man-in-the-middle attacks. Pass a domain and the service fetches the MTA-STS policy file from mta-sts.<domain>/.well-known/mta-sts.txt (its version, mode, the permitted MX hosts and max_age), the _mta-sts DNS TXT record (its policy id) and the _smtp._tls TLS-RPT record (the rua reporting address), then reports whether MTA-STS is actually enforced and a prioritised list of issues — no policy file, no DNS record, a mode of only "testing", or a missing TLS-RPT record. A second endpoint returns just the parsed policy file. The request is made server-side and private/internal targets are refused (SSRF-guarded). Built for email-deliverability and anti-downgrade-attack audits, vendor and third-party assessment, and compliance. An MTA-STS / TLS-RPT checker — the SMTP transport-security counterpart to the email-authentication analyzer (emailsec, which covers SPF, DKIM and DMARC), and distinct from raw DNS lookup (dns). No upstream key, no cache.

## Authentication
All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys.

```bash
curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/mtasts-api/..."
```

## Pricing
- **Free** (Free) — 2,180 calls/Mo, 2 req/s
- **Starter** ($6/Mo) — 42,500 calls/Mo, 8 req/s
- **Pro** ($21/Mo) — 222,000 calls/Mo, 20 req/s
- **Mega** ($54/Mo) — 835,000 calls/Mo, 50 req/s

## Endpoints

### MTA-STS

#### `GET /v1/check` — MTA-STS + TLS-RPT posture

**Parameters:**
- `domain` (query, required, string) — Domain to inspect Example: `google.com`

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/mtasts-api/v1/check?domain=google.com"
```

**Response:**
```json
{
    "data": {
        "domain": "google.com",
        "issues": [],
        "policy": {
            "mx": [
                "smtp.google.com",
                "aspmx.l.google.com",
                "*.aspmx.l.google.com"
            ],
            "url": "https://mta-sts.google.com/.well-known/mta-sts.txt",
            "mode": "enforce",
            "found": true,
            "valid": true,
            "max_age": 86400,
            "version": "STSv1"
        },
        "tls_rpt": {
            "rua": [
                "mailto:sts-reports@google.com"
            ],
            "found": true,
            "record": "v=TLSRPTv1;rua=mailto:sts-reports@google.com"
        },
        "enforced": true,
        "sts_record": {
            "id": "20210803T010101",
            "found": true,
            "record": "v=STSv1; id=20210803T010101;"
        }
    },
    "meta": {
        "timestamp": "2026-06-01T23:40:44.479Z",
        "request_id": "c95d7830-cf6d-4850-93cb-80a5721267db"
    },
    "status": "ok",
    "message": "MTA-STS checked",
    "success": true
}
```

#### `GET /v1/policy` — Parsed MTA-STS policy file

**Parameters:**
- `domain` (query, required, string) — Domain to inspect Example: `microsoft.com`

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/mtasts-api/v1/policy?domain=microsoft.com"
```

**Response:**
```json
{
    "data": {
        "mx": [
            "*.mail.protection.outlook.com"
        ],
        "url": "https://mta-sts.microsoft.com/.well-known/mta-sts.txt",
        "mode": "enforce",
        "found": true,
        "domain": "microsoft.com",
        "max_age": 604800,
        "version": "STSv1"
    },
    "meta": {
        "timestamp": "2026-06-01T23:40:44.675Z",
        "request_id": "93b6c1a0-8174-4bc6-b1a9-a890be526bb6"
    },
    "status": "ok",
    "message": "Policy retrieved",
    "success": true
}
```

### Meta

#### `GET /v1/meta` — Checks & policy modes

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/mtasts-api/v1/meta"
```

**Response:**
```json
{
    "data": {
        "note": "Inspect a domain's SMTP transport-security posture — whether mail servers are required to deliver inbound mail over authenticated TLS. /v1/check?domain=google.com fetches the MTA-STS policy file from mta-sts.<domain>/.well-known/mta-sts.txt (version, mode, the permitted MX hosts and max_age), the _mta-sts DNS TXT record (its policy id) and the _smtp._tls TLS-RPT record (the rua reporting address), then reports whether MTA-STS is actually enforced and a prioritised list of issues (no policy, no DNS record, mode only 'testing', missing TLS-RPT). /v1/policy returns just the parsed policy file. The request is made server-side and private/internal targets are refused (SSRF-guarded). Ideal for email-deliverability and anti-downgrade-attack audits, vendor assessment and compliance. An MTA-STS / TLS-RPT checker — the SMTP transport-security counterpart to the email-authentication analyzer (emailsec, which covers SPF/DKIM/DMARC), and distinct from raw DNS lookup (dns). No key, no cache.",
        "modes": [
            "enforce",
            "testing",
            "none"
        ],
        "checks": [
            "MTA-STS policy file (mta-sts.<domain>/.well-known/mta-sts.txt)",
            "_mta-sts DNS TXT",
            "_smtp._tls TLS-RPT DNS TXT"
        ],
        "endpoints": [
            "/v1/check",
            "/v1/policy",
            "/v1/meta"
        ]
    },
    "meta": {
        "timestamp": "2026-06-01T23:40:44.772Z",
        "reque
…(truncated, see openapi.json for full schema)
```


---
Marketplace page: https://www.oanor.com/api/mtasts-api
OpenAPI spec: https://www.oanor.com/api/mtasts-api/openapi.json