# MTA-STS API > Inspect a domain's SMTP transport-security posture — whether mail servers are required to deliver inbound mail over authenticated TLS, protecting it from downgrade and man-in-the-middle attacks. Pass a domain and the service fetches the MTA-STS policy file from mta-sts./.well-known/mta-sts.txt (its version, mode, the permitted MX hosts and max_age), the _mta-sts DNS TXT record (its policy id) and the _smtp._tls TLS-RPT record (the rua reporting address), then reports whether MTA-STS is actually enforced and a prioritised list of issues — no policy file, no DNS record, a mode of only "testing", or a missing TLS-RPT record. A second endpoint returns just the parsed policy file. The request is made server-side and private/internal targets are refused (SSRF-guarded). Built for email-deliverability and anti-downgrade-attack audits, vendor and third-party assessment, and compliance. An MTA-STS / TLS-RPT checker — the SMTP transport-security counterpart to the email-authentication analyzer (emailsec, which covers SPF, DKIM and DMARC), and distinct from raw DNS lookup (dns). No upstream key, no cache. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/mtasts-api/..." ``` ## Pricing - **Free** (Free) — 2,180 calls/Mo, 2 req/s - **Starter** ($6/Mo) — 42,500 calls/Mo, 8 req/s - **Pro** ($21/Mo) — 222,000 calls/Mo, 20 req/s - **Mega** ($54/Mo) — 835,000 calls/Mo, 50 req/s ## Endpoints ### MTA-STS #### `GET /v1/check` — MTA-STS + TLS-RPT posture **Parameters:** - `domain` (query, required, string) — Domain to inspect Example: `google.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/mtasts-api/v1/check?domain=google.com" ``` #### `GET /v1/policy` — Parsed MTA-STS policy file **Parameters:** - `domain` (query, required, string) — Domain to inspect Example: `microsoft.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/mtasts-api/v1/policy?domain=microsoft.com" ``` ### Meta #### `GET /v1/meta` — Checks & policy modes **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/mtasts-api/v1/meta" ``` --- Marketplace page: https://www.oanor.com/api/mtasts-api OpenAPI spec: https://www.oanor.com/api/mtasts-api/openapi.json