Is your mail forced
over TLS?

Email between servers is encrypted opportunistically — if a connection can't negotiate TLS, it falls back to plaintext. An attacker in the network path can force that downgrade and read your mail. MTA-STS lets your domain publish 'always require TLS for my mail', closing the downgrade hole.

The _mta-sts TXT record (the signal that a policy exists and its version id), the policy file at https://mta-sts.yourdomain/.well-known/mta-sts.txt (the actual rules: mode, allowed MX hosts, max_age), and the _smtp._tls TXT record (TLS-RPT — where failure reports go).

Browsers enforce CORS, and mail-policy hosts have no reason to send CORS headers — sending mail servers aren't browsers and don't care. When the fetch is blocked we say so honestly and give you the direct URL to open yourself; a blocked fetch tells you nothing about whether the policy works for real senders.

mode: testing, together with TLS-RPT. Testing mode tells senders to evaluate your policy and report failures without bouncing anything. After a couple of clean weeks of TLS reports, switch to mode: enforce.

Indirectly. It protects mail coming TO your domain, so it doesn't change your sending reputation directly — but Gmail publishes and honors it, security-conscious receivers notice it, and a domain with complete mail security posture (SPF, DKIM, DMARC, MTA-STS) reads as a serious operator, not a burner.