MTA-STS

Enforce TLS encryption for inbound email and prevent downgrade attacks.

MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers that your domain requires TLS encryption. It prevents downgrade attacks where an attacker strips TLS from the connection.

How MTA-STS Works

  1. Publish a DNS TXT record at _mta-sts.example.com
  2. Host a policy file at https://mta-sts.example.com/.well-known/mta-sts.txt
  3. Sending servers discover your policy via DNS
  4. They fetch the policy file over HTTPS
  5. They cache the policy and enforce TLS for your domain

MTA-STS DNS Record

# DNS TXT record at _mta-sts.example.com
v=STSv1; id=20240115120000

# Fields:
# v=STSv1  - Version (required)
# id=      - Policy ID (change this when you update the policy)

# The id should change whenever your policy changes
# This tells senders to re-fetch the policy file

MTA-STS Policy File

# Hosted at https://mta-sts.example.com/.well-known/mta-sts.txt
version: STSv1
mode: enforce
mx: mail.example.com
mx: mail2.example.com
mx: *.mail.example.com
max_age: 604800

# Fields:
# version   - Must be STSv1
# mode      - none (disabled), testing (report only), enforce (require TLS)
# mx        - Allowed MX hostnames (wildcards supported)
# max_age   - How long to cache the policy in seconds (max: 31557600)

MTA-STS Modes

ModeBehaviorUse When
nonePolicy is disabledTemporarily disabling MTA-STS
testingTLS failures reported but mail still deliveredInitial deployment, monitoring for issues
enforceTLS required, failures cause delivery failureProduction, after testing confirms no issues

Requirements

To deploy MTA-STS, you need:

  • DNS TXT record at _mta-sts.yourdomain.com
  • HTTPS web server at mta-sts.yourdomain.com
  • Valid SSL certificate for the mta-sts subdomain
  • Policy file at /.well-known/mta-sts.txt

MX Hostname Matching

The mx: entries in your policy must match your actual MX records:

  • Hostnames must match exactly or use wildcards
  • Certificates must be valid for those hostnames
  • If you change MX records, update your policy first

Common MX Patterns

# Google Workspace

version: STSv1
mode: enforce
mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
mx: *.googlemail.com
max_age: 604800

# Microsoft 365

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800

TLS-RPT for Monitoring

Use TLS-RPT alongside MTA-STS to receive reports about TLS failures:

# TLS-RPT DNS record
_smtp._tls.example.com TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"

MimeProtect Hosts Your MTA-STS

Don't want to manage hosting and certificates? MimeProtect hosts your MTA-STS policy on our global edge network. Just point a CNAME to us and we handle the rest—including certificate renewals and policy updates.

Get Started

Safe Deployment

  1. Start with testing mode

    Use mode: testing initially

  2. Set up TLS-RPT

    Monitor for any TLS failures

  3. Use a short max_age

    Start with 86400 (1 day) during testing

  4. Move to enforce

    After no issues for 1-2 weeks, switch to mode: enforce

  5. Increase max_age

    Once stable, increase to 604800 (1 week) or more

Next Steps