What is this
MTA-STS (Mail Transfer Agent Strict Transport Security) forces sending mail servers to use TLS for mail to your domain. It consists of a TXT record at _mta-sts plus a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Why it matters
Without MTA-STS a man-in-the-middle can downgrade the connection to plaintext and read or alter mail. MTA-STS closes that downgrade path.
How to fix it
TransIP: Create a subdomain mta-sts.yourdomain.com, host a static page with mta-sts.txt there. Add a TXT in DNS at _mta-sts with v=STSv1; id=20260427T000000Z.
CloudFlare: Use Cloudflare Pages or a Worker to serve https://mta-sts.<domain>/.well-known/mta-sts.txt. Add the _mta-sts TXT under DNS.
Strato or Antagonist: Spin up a basic hosting package on mta-sts.<domain>, upload .well-known/mta-sts.txt with version: STSv1, mode: enforce, mx: <your-mx>, max_age: 604800. Add the TXT in DNS.
Other: Host the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt with valid TLS, then place the TXT record at _mta-sts.<domain>.
Verify
dig TXT _mta-sts.yourdomain.com +short and curl https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Confirm the policy file is reachable over HTTPS and contains mode: enforce.