Understand MTA‑STS (Strict Transport Security for SMTP)

A practical, in‑depth guide to deploying Mail Transfer Agent Strict Transport Security with clear examples, validation steps, and reporting.

MTA‑STS (RFC 8461) lets domain owners require TLS for SMTP delivery and pin the MX hosts that are allowed to receive mail. It prevents STARTTLS downgrade and MX redirection attacks that could expose messages in transit.

How MTA‑STS Works

  • Policy DNS TXT: _mta-sts.example.com"v=STSv1; id=20250101" advertises the current policy version.
  • Policy file over HTTPS: https://mta-sts.example.com/.well-known/mta-sts.txt contains allowed MX hosts and the mode.
  • Sending MTA behavior: Cache the policy by max_age, require TLS, and only deliver to matching MX when in enforce mode.

Policy File Format

Serve plain text over HTTPS with a valid certificate for mta-sts.example.com:

version: STSv1 mode: none|testing|enforce mx: mx1.example.com mx: *.mail.example.net max_age: 86400 # seconds (e.g., 1 day; many deploy 604800 or higher)
  • version: Always STSv1.
  • mode: none (advertise policy without enforcement), testing (no delivery enforcement; facilitates reporting), or enforce (TLS + MX pinning required).
  • mx: One or more entries; exact hostnames or wildcard patterns.
  • max_age: Seconds to cache the policy (commonly 604800 = 7 days).

DNS Records

Create a TXT at _mta-sts.example.com and update id whenever the policy file changes:

_mta-sts.example.com. 3600 IN TXT "v=STSv1; id=20250101"

Enable SMTP TLS Reporting (RFC 8460) to get failure reports:

_smtp._tls.example.com. 3600 IN TXT "v=TLSRPTv1; rua=mailto:[email protected]"

Rollout Plan (Recommended)

  1. Inventory MX: List all inbound MX hostnames actually used.
  2. Host policy file: Serve /.well-known/mta-sts.txt on mta-sts.example.com via HTTPS.
  3. Publish DNS TXT: _mta-sts.example.com with v=STSv1; id=<date>.
  4. Start in testing: mode: testing to verify without risking delivery.
  5. Monitor reports: Add TLSRPT to receive JSON reports at rua.
  6. Enforce: Switch to mode: enforce after validating MX coverage and TLS readiness.

Example Policies

Testing mode (soft launch)

version: STSv1 mode: testing mx: mx1.example.com mx: mx2.example.com max_age: 604800

Enforce with wildcard MX

version: STSv1 mode: enforce mx: *.mx.mail.example.com max_age: 1209600

Validation & Troubleshooting

  • Fetch policy: curl -s https://mta-sts.example.com/.well-known/mta-sts.txt
  • Check DNS: dig TXT _mta-sts.example.com +short
  • Verify TLS on MX: openssl s_client -starttls smtp -connect mx1.example.com:25 -servername mx1.example.com

Common issues: policy served over HTTP or with an invalid certificate, missing MX entries, out‑of‑date DNS id, or overly short max_age causing frequent refetches.

Operational Tips

  • Automate policy generation and bump id on change (e.g., date stamp).
  • Keep the policy host isolated; only serve the policy file from mta-sts.example.com.
  • Set a practical max_age (7–14 days) and plan for emergency rollbacks by updating the policy and DNS id.
  • Pair with TLSRPT to detect failures in the wild and tune before enforcing.

Sources & Further Reading

Was this page helpful? Send us feedback

← Back to Home Check Your Domain