MTA-STS Configuration Guide
Enforce TLS encryption for incoming email with MTA Strict Transport Security.
Quick Overview
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers to only deliver email to your domain over encrypted TLS connections.
Without MTA-STS, email can be downgraded to unencrypted delivery through a man-in-the-middle attack.
MTA-STS Components
MTA-STS requires two things:
1. DNS TXT Record at _mta-sts.yourdomain.com 2. Policy File hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
DNS Record Setup
Add a TXT record at _mta-sts.yourdomain.com:
v=STSv1; id=20240101120000The "id" should be updated whenever you change your policy. Use a timestamp format like YYYYMMDDHHMMSS.
Policy File Setup
Create the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: *.google.com
max_age: 604800Policy Modes
The mode determines how strict enforcement is:
• testing - Report failures but don't block (start here) • enforce - Reject emails that can't use TLS • none - Disable MTA-STS
The max_age is in seconds (604800 = 1 week).
Start with mode=testing and monitor before switching to enforce.
TLSRPT Setup
Add TLSRPT to receive reports about TLS failures:
# TXT record at _smtp._tls.yourdomain.com
v=TLSRPTv1; rua=mailto:[email protected]Common Pitfalls to Avoid
- Invalid SSL certificate
The mta-sts subdomain must have a valid TLS certificate. Self-signed will not work.
- Wrong policy file location
The file must be at exactly /.well-known/mta-sts.txt with proper Content-Type.
- Mismatched MX records
Policy mx: entries must match your actual MX records exactly.
- Starting with enforce mode
Use testing mode first to receive failure reports without blocking email.