Cloudflare Worker

Mail Check
Gap Filler Worker

A one-click deployable Cloudflare Worker that provides MTA-STS policy hosting and TLS-RPT report collection—filling the email confidentiality gaps left by NCSC Mail Check.

Deploy to Cloudflare View on GitHub

MTA-STS Hosting

Serve your MTA-STS policy file at the edge with automatic HTTPS and high availability.

TLS-RPT Dashboard

Visualise your email encryption rate over time with a Mail Check-style dashboard.

5-Minute Setup

Deploy with one click and configure your DNS records. No coding required.

What This Worker Provides

MTA-STS Policy Hosting

MTA-STS (RFC 8461) allows domain owners to declare that TLS is mandatory for all incoming email, preventing man-in-the-middle attacks and SMTP downgrade attempts.

  • Serves mta-sts.txt at the required /.well-known/ path
  • Configurable policy mode: testing, enforce, or none
  • Automatic HTTPS via Cloudflare (mandatory for MTA-STS)
  • Global availability on Cloudflare's edge network

TLS-RPT Report Collection

TLS-RPT (RFC 8460) enables senders to report on TLS connection successes and failures, giving you visibility into email encryption—just like Mail Check did.

  • Ingests JSON reports from major email providers
  • Stores data in Cloudflare D1 for historical analysis
  • Visual dashboard showing encryption percentage over time
  • Breakdown by sending organisation and failure type

Deployment Guide

1

Deploy the Worker

Click the "Deploy to Cloudflare" button above. This will create the Worker, D1 database, and KV namespace in your Cloudflare account.

Resources created:

  • Worker: mail-check-worker
  • D1 Database: tls-reports
  • KV Namespace: MTA_STS_CONFIG
2

Add Custom Domain Route

In your Cloudflare dashboard, add a route for mta-sts.yourdomain.gov.uk/* pointing to the Worker.

3

Configure DNS Records

Add the following DNS records to enable MTA-STS and TLS-RPT:

MTA-STS Subdomain (A Record)

mta-sts.yourdomain.gov.uk → 192.0.2.1 (proxied)

The Worker will handle requests to this subdomain

MTA-STS Policy Signal (TXT Record)

_mta-sts.yourdomain.gov.uk TXT "v=STSv1; id=202602131200"

Update the ID when you change your policy

TLS-RPT Reporting Address (TXT Record)

_smtp._tls.yourdomain.gov.uk TXT "v=TLSRPTv1; rua=https://yourdomain.gov.uk/tls-rpt/report"

Points senders to your Worker's report ingestion endpoint

4

Configure Your Policy

Access the admin dashboard at /admin to configure your MTA-STS policy mode, MX hosts, and max age.

Recommendation: Start with mode: testing for 2-4 weeks to monitor for issues before switching to mode: enforce.

Requirements

Cloudflare Account

  • Free plan or higher
  • Domain added to Cloudflare (proxied)
  • Workers & D1 enabled (included in free plan)

DNS Access

  • Ability to add TXT records
  • Ability to add subdomain (mta-sts)
  • Knowledge of your MX hosts

Ready to Deploy?

Get MTA-STS and TLS-RPT monitoring running in your Cloudflare account in under 5 minutes.

Deploy to Cloudflare Back to Gap Analysis