How do I host the MTA-STS policy file at .well-known?

MTA-STS (RFC 8461) is the email equivalent of HSTS: it tells sending servers to require valid TLS when delivering to your MX hosts, defeating SMTP downgrade attacks. The part that trips people up is not the DNS — it's that MTA-STS needs an HTTPS-hosted policy file, and that file must be served correctly or the whole policy is silently ignored.

MTA-STS has two halves that must agree

1. A DNS TXT record at _mta-sts.yourdomain containing a version and an id.
2. An HTTPS-served policy file at a fixed, well-known URL.

A sender first sees the TXT record, then fetches the policy file over HTTPS. If the file is unreachable, served on a bad certificate, or at the wrong path, the sender treats the domain as having no MTA-STS at all.

The exact hosting requirements

Subdomain. The policy must live on the mta-sts subdomain — point mta-sts.yourdomain (A/AAAA or CNAME) at a web server or static host.

Exact URL. It must be reachable at, and only at: https://mta-sts.example.com/.well-known/mta-sts.txt.

Valid, publicly trusted certificate for mta-sts.example.com. A cert valid for www.example.com but not the mta-sts host fails every fetch — this is the #1 cause of broken MTA-STS. Let's Encrypt works fine. Self-signed or expired = policy ignored.

Content-Type text/plain. Some static hosts serve .txt as application/octet-stream; set it to text/plain.

HTTPS only. The fetch must succeed over HTTPS; the point of MTA-STS is authenticated transport.

The policy file contents

version: STSv1
mode: testing
mx: mx1.example.com
mx: mx2.example.com
max_age: 604800

Every active MX host must be listed — a missing MX means mail to that host bounces under enforce. Start at mode: testing (senders report failures via TLS-RPT but still deliver), then move to mode: enforce once reports are clean. max_age is the cache lifetime in seconds; use 86400 during rollout, raise to 604800+ once stable.

The matching TXT record

_mta-sts.example.com. TXT "v=STSv1; id=20260603T120000". The id is an arbitrary string you change every time you edit the policy file — senders only re-fetch when the id changes. Edit the file but forget to bump the id, and senders keep using the stale cached version. A timestamp makes a good id.

Let a generator emit both outputs

The IntoDNS.ai MTA-STS Policy Generator produces both halves at once — the _mta-sts TXT record and the .well-known/mta-sts.txt policy file — for the mode, MX hosts and cache duration you pick, so the two stay consistent. You still have to host the file yourself.

Don't enforce blind: pair with TLS-RPT

Before switching to enforce, publish a TLS-RPT record at _smtp._tls so senders email you JSON reports of TLS successes and failures. That's how you confirm no legitimate sender is failing your certificate or MX coverage before you start blocking mail. Validate the result with the MTA-STS Checker, add reporting with the TLS-RPT Generator, and read the MTA-STS guide.