Hosting MTA-STS Policies with Azure Static Web Apps

Learn how to use Azure Static Web Apps to host your MTA-STS policy file securely and reliably.

Introduction: Why Azure Static Web Apps for MTA-STS?

For organisations seeking a cost-effective, secure, and centrally managed way to publish their MTA-STS policy file, Microsoft Azure Static Web Apps is a viable and practical solution.

Key benefits:

  • Full control for IT departments without relying on third-party infrastructure
  • No-cost options — the Free Tier will be more than sufficient for most MTA-STS use cases
  • HTTPS support out of the box, with built-in certificate management for custom domains

Whether you're in a public sector team, a small enterprise, or a large security-conscious organisation, Azure Static Web Apps helps you publish a compliant mta-sts.txt file at the correct location (https://mta-sts.yourdomain.com/.well-known/mta-sts.txt) — reliably and securely.

Prerequisites

  • An Azure subscription – Sign up here
  • Access to DNS settings for your domain (e.g. GoDaddy, Cloudflare)
  • A GitHub account for deploying code to Azure (via GitHub Actions)
  • A text editor or IDE (e.g. VS Code, Cursor, Windsurf)

High-Level Steps

  1. Create your MTA-STS policy as a plaintext file (mta-sts.txt) inside a .well-known folder
  2. Push the file to a GitHub repository
  3. Link your repo to Azure Static Web Apps, using the Custom build preset and skipping build steps
  4. Assign a custom domain like mta-sts.yourdomain.com and secure it with HTTPS
  5. Publish DNS records (_mta-sts TXT) to enable policy discovery
  6. Test and monitor TLS reports before moving to enforce mode

Further Guidance and Resources

Microsoft Official Documentation

Enhancing Mail Flow with MTA-STS

Microsoft's official guide explains what MTA-STS is, why it matters, and how to publish a compliant policy using Azure infrastructure. It's a good foundation, especially for technical architects or Exchange admins.

Jon's Docs: Step-by-Step Blog Walkthrough

Setting up MTA-STS using Azure Static Web Apps

This approachable blog post walks through a real-world example of deploying an MTA-STS policy using Azure's free tier. Ideal for hands-on IT pros looking for clear steps and screenshots.

PowerShell Module for Simplified Deployment

PS.MTA-STS GitHub Repo

Prefer scripting your deployment? This open-source PowerShell module from Microsoft simplifies MTA-STS policy generation, DNS validation, and deployment to Azure — great for automation and repeatability.

Test Your MTA-STS Deployment

Once you've deployed your MTA-STS policy using Azure Static Web Apps, you'll want to verify everything is working correctly before moving to enforce mode.

Validate Your Setup

Use our free MTA-STS Readiness Checker to test your deployment and identify any configuration issues before they impact email delivery.

Test Your MTA-STS Policy →

Our tool checks your policy syntax, DNS records, HTTPS configuration, and provides actionable feedback to ensure your MTA-STS implementation is ready for production use.