Hosting MTA-STS Policy Files with Cloudflare Workers

A practical guide for secure, scalable policy file delivery

Cloudflare Workers provide a flexible, cost-effective way to host your MTA-STS policy file—whether you manage DNS with Cloudflare or just want a reliable, globally distributed endpoint. This guide walks you through the process, from writing your policy to deploying and testing your setup.

Why Use Cloudflare Workers?

  • Global Reach: Serve your policy file from Cloudflare's edge network for fast, reliable access worldwide.
  • Free for Testing: Cloudflare's free tier lets you experiment with Workers and *.workers.dev domains at no cost.
  • Custom Domain Support: Easily map your policy endpoint to mta-sts.yourdomain.com if you manage DNS with Cloudflare.
  • HTTPS by Default: All Workers endpoints are served over HTTPS, meeting MTA-STS requirements.

Example Cloudflare Worker Script

Below is a sample Worker script that serves a multi-line MTA-STS policy file. Edit the values to match your environment.

addEventListener("fetch", event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const policy =
    "version: STSv1\r\n" +
    "mode: testing\r\n" +
    "mx: your.mailserver.com\r\n" +
    "max_age: 86400";

  return new Response(policy, {
    headers: { "Content-Type": "text/plain" }
  });
}

Use \\r\\n for line breaks to ensure correct formatting. Add additional mx: lines as needed for multiple MX records.

How to Deploy Your MTA-STS Policy with Cloudflare Workers

  1. Log in to your Cloudflare account and go to the Workers & Pages section.
  2. Click Create application, then select Create Worker to start a new service.
  3. Name your Worker. Cloudflare will show the resulting *.workers.dev FQDN.
  4. Click Deploy to launch the default Worker, then select Edit code to open the editor.
  5. Replace the default code with your edited Worker script and click Save and deploy.
  6. Test your Worker by visiting the *.workers.dev URL in your browser. The output should match your intended mta-sts.txt file exactly.
  7. In the Worker dashboard, go to the Triggers tab and click Add Custom Domain.
  8. Enter mta-sts.yourdomain.com as the custom domain and follow the prompts to provision DNS and HTTPS.
  9. If your DNS is managed in Cloudflare, you can create a CNAME from mta-sts.yourdomain.com to your Worker. (Enterprise/Business plans may have additional options.)
  10. Double-check for extra spaces or blank lines in your policy file—these can cause validation failures.

Tips & Troubleshooting

  • Whitespace Matters: Avoid extra spaces or blank lines at the start or end of your policy file.
  • Test Thoroughly: Use browser and command-line tools to verify your Worker returns the correct content and headers.
  • DNS & HTTPS: Custom domains require DNS to be managed in Cloudflare for CNAME support and HTTPS provisioning.
  • Limits: Free Workers have usage limits. Review Cloudflare's documentation if you expect high traffic or need static IPs (Enterprise only).

Further Reading & Resources