Setting Up MTA-STS

Enforce TLS encryption for inbound email with MTA-STS.

MTA-STS tells sending servers that your domain requires TLS encryption. This guide covers both self-hosted and managed options.

Time required: 30 minutes (self-hosted) or 5 minutes (managed)
Prerequisites: DNS access, optionally a web server with HTTPS

Option 1: Use MimeProtect (Recommended)

The easiest approach—we host your MTA-STS policy on our global edge network:

  1. Sign up for MimeProtect and add your domain
  2. Go to MTA-STS settings and click Enable
  3. Add the CNAME record we provide to your DNS
  4. We handle certificates, hosting, and updates automatically
Start Free Trial

Option 2: Self-Hosted

If you prefer to host your own policy:

Step 1: Create the Policy File

# File: /.well-known/mta-sts.txt
version: STSv1
mode: testing
mx: mail.yourdomain.com
mx: mail2.yourdomain.com
max_age: 86400

Step 2: Host the Policy

  1. Create a subdomain mta-sts.yourdomain.com
  2. Get an SSL certificate for this subdomain (Let's Encrypt works)
  3. Serve the policy at /.well-known/mta-sts.txt
  4. Content-Type should be text/plain

Step 3: Add DNS Records

# MTA-STS policy record
Name: _mta-sts
Type: TXT
Value: v=STSv1; id=20240115120000

# TLS-RPT for failure reports (optional but recommended)
Name: _smtp._tls
Type: TXT
Value: v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com

Step 4: Move to Enforce Mode

After monitoring shows no TLS failures:

  1. Change mode: testing to mode: enforce
  2. Increase max_age to 604800 (1 week) or more
  3. Update the id in your DNS TXT record

Common MX Patterns

# Google Workspace

mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
mx: *.googlemail.com

# Microsoft 365

mx: *.mail.protection.outlook.com

Checklist

Policy file accessible at mta-sts.yourdomain.com/.well-known/mta-sts.txt
Valid HTTPS certificate on mta-sts subdomain
_mta-sts TXT record added to DNS
MX hosts in policy match actual MX records
TLS-RPT configured for monitoring

Next Steps