MTA-STS Configuration Guide
Enforce TLS encryption for incoming email with MTA Strict Transport Security.
Quick Overview
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) lets a domain declare that sending mail servers must use authenticated TLS when delivering mail to it. It solves a long-standing weakness in SMTP: STARTTLS, the opportunistic encryption SMTP uses, is trivially defeated by a man-in-the-middle. An attacker on the path can strip the STARTTLS advertisement, causing the sender to silently fall back to plaintext, or present an invalid certificate that opportunistic SMTP accepts anyway.
MTA-STS removes that opportunism. Once a sender has fetched and cached your policy, it will refuse to deliver mail over a downgraded or untrusted connection. It applies to inbound mail to your domain — you publish a policy so that other servers protect mail they send to you. MTA-STS pairs naturally with TLS-RPT, which gives you reports when delivery to you fails TLS.
How MTA-STS Works
MTA-STS deliberately splits its trust across DNS and HTTPS so that an attacker would have to compromise both:
1. The sender looks up the _mta-sts TXT record to learn that you have a policy and to read its id. 2. If the id is new (or no policy is cached), the sender fetches the policy file over HTTPS from mta-sts.<yourdomain>/.well-known/mta-sts.txt. The HTTPS certificate must be valid and trusted — this is the trust anchor, not DNSSEC. 3. The sender caches the policy for up to max_age seconds. 4. On each delivery, the sender checks that the MX host matches a pattern in the policy, that STARTTLS is offered, and that the MX presents a valid certificate matching the MX hostname. If mode is enforce and any check fails, delivery is refused rather than downgraded.
The cached policy is what makes MTA-STS resistant to active attackers: an on-path attacker cannot strip a policy the sender already has.
The Two Required Components
A working MTA-STS deployment is exactly two things that must agree with each other:
1. DNS TXT record at _mta-sts.yourdomain.com — announces the policy and carries the id. 2. Policy file served over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt — the actual rules.
The mta-sts host needs a publicly trusted TLS certificate. The policy file must list MX patterns that exactly cover your real MX records.
Step 1: Publish the DNS Record
Add a TXT record at _mta-sts.yourdomain.com announcing the current policy version:
# DNS name: _mta-sts.yourdomain.com
v=STSv1; id=20260601000001The id is an opaque token, max 32 alphanumeric characters. It MUST change every time you edit the policy file — senders only re-fetch the policy when the id changes. A timestamp like YYYYMMDDNNNNNN works well.
Step 2: Host the Policy File
Create the policy file and serve it at the exact well-known path over HTTPS, with Content-Type: text/plain:
# https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: *.yourdomain.com
max_age: 604800The file must be served from the mta-sts subdomain over HTTPS with a valid, publicly trusted certificate. A self-signed or mismatched certificate makes the entire policy unusable, and a failed fetch means senders fall back to opportunistic TLS.
Policy File Field Reference
The policy file is a small set of newline-separated key: value lines:
| Field | Required | Purpose / values |
|---|---|---|
| version | yes | Must be STSv1 |
| mode | yes | testing | enforce | none |
| mx | yes | One line per allowed MX host pattern. Wildcards allowed for the leftmost label, e.g. *.yourdomain.com or *.mail.protection.outlook.com |
| max_age | yes | Policy cache lifetime in seconds (max 31557600 ~1yr). Common values: 86400 (1 day) while testing, 604800 (1 week) or more in production |
| Mode | Behavior |
|---|---|
| testing | Check and report failures via TLS-RPT, but still deliver |
| enforce | Refuse delivery on any TLS/MX/cert failure |
| none | Tear down an existing policy (set before removing records) |
Policy Modes & Safe Rollout
Start in testing mode. In testing, senders perform every MTA-STS check and report failures via TLS-RPT, but mail is still delivered — so you learn whether your MX coverage and certificates are correct without risking a single message.
After a week or two of clean TLS-RPT reports, switch mode to enforce and bump the id. From then on, senders that have your policy cached will refuse to downgrade. Begin with a shorter max_age (e.g. 86400) during testing so corrections propagate quickly, then raise it for production.
Do not start in enforce mode. A wrong MX pattern, an expired certificate, or a missing STARTTLS on one MX will block inbound mail with no warning. Testing mode surfaces those problems safely first.
Step 3: Add TLS-RPT Reporting
TLS Reporting (TLS-RPT, RFC 8460) is what makes MTA-STS observable. Publish a separate TXT record and senders will email you daily JSON summaries of successful and failed TLS sessions to your domain — including the reason for each MTA-STS or DANE failure:
# DNS name: _smtp._tls.yourdomain.com
v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.comDeploy TLS-RPT before switching MTA-STS to enforce. The reports are how you confirm there are no failing senders prior to enforcement.
Verify and Next Step
Confirm the DNS record and the HTTPS policy file agree, the MX patterns cover your real MX, and the id is current with our free MTA-STS Checker, and build a correct record and policy file with the MTA-STS Policy Generator.
Common pitfalls to check: the policy file not reachable over HTTPS (wrong host, bad certificate, redirect instead of a direct 200), the id not changing after a policy edit (senders never re-fetch), and mx: patterns that miss one of your MX hosts. MTA-STS protects transport encryption; combine it with SPF, DKIM, and DMARC for end-to-end email security.
Common Pitfalls to Avoid
- Invalid SSL certificate
The mta-sts subdomain must have a valid TLS certificate. Self-signed will not work.
- Wrong policy file location
The file must be at exactly /.well-known/mta-sts.txt with proper Content-Type.
- Mismatched MX records
Policy mx: entries must match your actual MX records exactly.
- Starting with enforce mode
Use testing mode first to receive failure reports without blocking email.
Related tools & guides
Frequently asked questions
What is MTA-STS and what does it protect against?
MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) lets your domain require that sending mail servers use authenticated TLS when delivering to you. It protects against man-in-the-middle attacks that strip STARTTLS or present invalid certificates to downgrade SMTP to plaintext. Once a sender caches your policy, it refuses to deliver over an untrusted or unencrypted connection.
What do I need to set up MTA-STS?
Two things that must agree: a DNS TXT record at _mta-sts.yourdomain.com (v=STSv1; id=...) and a policy file served over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with a valid, publicly trusted certificate. The policy file lists mode, your MX host patterns, and max_age.
Should I start MTA-STS in enforce or testing mode?
Always start in testing mode. In testing, senders run every MTA-STS check and report failures via TLS-RPT but still deliver your mail, so you can confirm your MX coverage and certificates are correct without risking lost messages. After a week or two of clean reports, switch to enforce.
Why does the MTA-STS id need to change?
Sending servers only re-fetch your HTTPS policy file when the id value in the _mta-sts TXT record changes. If you edit the policy file but leave the id the same, senders keep using the cached old policy. Update the id (for example a timestamp like YYYYMMDDNNNNNN) every time you change the policy.
What is TLS-RPT and do I need it for MTA-STS?
TLS-RPT (RFC 8460) is a separate TXT record at _smtp._tls.yourdomain.com that makes senders email you daily JSON reports of successful and failed TLS sessions, including the reason for MTA-STS failures. It is not strictly required, but you should deploy it before switching MTA-STS to enforce so you can confirm no legitimate senders are failing TLS.