MTA-STS Configuration Guide
Enforce TLS encryption for incoming email with MTA Strict Transport Security.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers to only deliver email to your domain over encrypted TLS connections.
Without MTA-STS, email can be downgraded to unencrypted delivery through a man-in-the-middle attack.
MTA-STS Components
MTA-STS requires two things:
1. **DNS TXT Record** at _mta-sts.yourdomain.com 2. **Policy File** hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
DNS Record Setup
Add a TXT record at _mta-sts.yourdomain.com:
v=STSv1; id=20240101120000The "id" should be updated whenever you change your policy. Use a timestamp format like YYYYMMDDHHMMSS.
Policy File Setup
Create the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: *.google.com
max_age: 604800Policy Modes
The mode determines how strict enforcement is:
• **testing** - Report failures but don't block (start here) • **enforce** - Reject emails that can't use TLS • **none** - Disable MTA-STS
The max_age is in seconds (604800 = 1 week).
Start with mode=testing and monitor before switching to enforce.
TLSRPT Setup
Add TLSRPT to receive reports about TLS failures:
# TXT record at _smtp._tls.yourdomain.com
v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com