MTA-STS Implementation Guide

Secure your email transport with MTA-STS

Learn how to implement and manage MTA-STS (Mail Transfer Agent Strict Transport Security) to protect your email communications from downgrade attacks.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that enables mail servers to use secure TLS connections when sending email. It helps prevent downgrade attacks and ensures email is transmitted securely.

Implementation Steps

Step 1 of 6
DNS Setup🔧(5 min)

1. Create TLS-RPT Record

Add a TLS-RPT record to monitor TLS failures:

_smtp._tls.yourdomain.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"

This record enables receiving TLS-RPT reports from major email providers.

Step 2 of 6
Policy Creation📝(10 min)

2. Create MTA-STS Policy File

Create your MTA-STS policy file with testing mode:

version: STSv1
mode: testing
max_age: 86400
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

Include all MX records that will be used for sending email.

Step 3 of 6
File Publishing🌐(15 min)

3. Publish MTA-STS Policy File

Host your policy file at:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Ensure your web server serves the file with the correct headers:

Content-Type: text/plain Cache-Control: max-age=86400

Verify the file is accessible via HTTPS and has the correct MIME type.

Platform-Specific Guides

Need help publishing your MTA-STS policy file? Check out our platform-specific guides:

Cloudflare MTA-STS Hosting GuideGitHub MTA-STS Hosting GuideAzure MTA-STS Hosting Guide
Step 4 of 6
DNS Configuration⚙️(5 min)

4. Create Discovery Record

Add an MTA-STS discovery record to your DNS:

_mta-sts.yourdomain.com. IN TXT "v=STSv1; id=20240101000000;"

Note: Update the id value whenever you make changes to your policy.

Step 5 of 6
Monitoring📊(2-4 weeks)

5. Monitor TLS-RPT Reports

Monitor TLS-RPT reports for 2-4 weeks to ensure:

  • All legitimate email flows are working correctly
  • No unexpected TLS failures are occurring
  • All MX records are properly configured
  • SSL certificates are valid and trusted

Address any issues found in the reports before proceeding to enforce mode.

Step 6 of 6
Enforcement🛡️(5 min)

6. Enable Enforce Mode

Once monitoring shows no issues, update your policy to enforce mode:

version: STSv1
mode: enforce
max_age: 2592000
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

And update your discovery record with a new ID:

_mta-sts.yourdomain.com. IN TXT "v=STSv1; id=20240201000000;"

The new ID ensures all mail servers will fetch the updated policy.

Implementation Phases

Phase 1: Testing Mode

Start with testing mode to validate your configuration:

version: STSv1
mode: testing
max_age: 86400
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

Phase 2: TLS-RPT Report Review

Before moving to enforce mode:

  • Monitor TLS-RPT reports for 2-4 weeks
  • Review all TLS failures and their reasons
  • Address any identified issues:
    • Update MX records if needed
    • Fix TLS certificate issues
    • Resolve any mail server configuration problems
  • Ensure all legitimate email flows are working correctly

Phase 3: Enforce Mode

Once TLS-RPT reports show no failures, update your policy to enforce mode:

version: STSv1
mode: enforce
max_age: 2592000
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

Best Practices

Always start in testing mode

Begin with testing mode to validate your configuration before enforcing strict policies.

Regularly review TLS-RPT reports

Monitor reports to identify and resolve any TLS-related issues before they impact email delivery.

Update the policy id when making changes

Increment the policy ID to ensure all mail servers fetch the updated policy immediately.

Use a max_age of at least 30 days in enforce mode

Longer cache times reduce DNS lookups and improve performance while maintaining security.

Keep your SSL certificates up to date

Expired or invalid certificates will cause TLS failures and email delivery issues.

Maintain accurate MX records

Ensure all MX records in your policy match your actual mail server configuration.

Common Issues and Solutions

Policy File Not Accessible

Ensure your policy file is accessible via HTTPS and has the correct MIME type. Check your web server configuration and SSL certificate.

DNS Record Issues

Verify that your DNS TXT record is correctly formatted and propagated. Use DNS lookup tools to confirm the record is visible.

TLS-RPT Report Analysis

If you see TLS failures in your reports:
  • Check MX record configurations
  • Verify SSL certificate validity
  • Ensure mail servers support TLS 1.2 or higher
  • Review any intermediate certificate issues

Test Your Implementation

Use our MTA-STS testing tool to verify your configuration:

Test Your MTA-STS Configuration