MTA-STS Implementation Guide

Secure your email transport with MTA-STS (Mail Transfer Agent Strict Transport Security). Learn how to implement and manage MTA-STS to protect your email communications.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that enables mail servers to use secure TLS connections when sending email. It helps prevent downgrade attacks and ensures email is transmitted securely.

Implementation Steps

1. Create TLS-RPT Record

Add a TLS-RPT record to monitor TLS failures:

_smtp._tls.yourdomain.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"

This record enables receiving TLS-RPT reports from major email providers.

2. Create MTA-STS Policy File

Create your MTA-STS policy file with testing mode:

version: STSv1
mode: testing
max_age: 86400
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

Include all MX records that will be used for sending email.

3. Publish MTA-STS Policy File

Host your policy file at:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Ensure your web server serves the file with the correct headers:

Content-Type: text/plain Cache-Control: max-age=86400

Verify the file is accessible via HTTPS and has the correct MIME type.

4. Create Discovery Record

Add an MTA-STS discovery record to your DNS:

_mta-sts.yourdomain.com. IN TXT "v=STSv1; id=20240101000000;"

Note: Update the id value whenever you make changes to your policy.

5. Monitor TLS-RPT Reports

Monitor TLS-RPT reports for 2-4 weeks to ensure:

  • All legitimate email flows are working correctly
  • No unexpected TLS failures are occurring
  • All MX records are properly configured
  • SSL certificates are valid and trusted

Address any issues found in the reports before proceeding to enforce mode.

6. Enable Enforce Mode

Once monitoring shows no issues, update your policy to enforce mode:

version: STSv1
mode: enforce
max_age: 2592000
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

And update your discovery record with a new ID:

_mta-sts.yourdomain.com. IN TXT "v=STSv1; id=20240201000000;"

The new ID ensures all mail servers will fetch the updated policy.

Implementation Phases

Phase 1: Testing Mode

Start with testing mode to validate your configuration:

version: STSv1
mode: testing
max_age: 86400
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

Phase 2: TLS-RPT Report Review

Before moving to enforce mode:

  • Monitor TLS-RPT reports for 2-4 weeks
  • Review all TLS failures and their reasons
  • Address any identified issues:
    • Update MX records if needed
    • Fix TLS certificate issues
    • Resolve any mail server configuration problems
  • Ensure all legitimate email flows are working correctly

Phase 3: Enforce Mode

Once TLS-RPT reports show no failures, update your policy to enforce mode:

version: STSv1
mode: enforce
max_age: 2592000
mx: mail1.yourdomain.com
mx: mail2.yourdomain.com

Best Practices

  • Always start in testing mode
  • Regularly review TLS-RPT reports
  • Update the policy id when making changes
  • Use a max_age of at least 30 days in enforce mode
  • Keep your SSL certificates up to date
  • Maintain accurate MX records

Common Issues and Solutions

Policy File Not Accessible

Ensure your policy file is accessible via HTTPS and has the correct MIME type. Check your web server configuration and SSL certificate.

DNS Record Issues

Verify that your DNS TXT record is correctly formatted and propagated. Use DNS lookup tools to confirm the record is visible.

TLS-RPT Report Analysis

If you see TLS failures in your reports:
  • Check MX record configurations
  • Verify SSL certificate validity
  • Ensure mail servers support TLS 1.2 or higher
  • Review any intermediate certificate issues

Test Your Implementation

Use our MTA-STS testing tool to verify your configuration:

Test Your MTA-STS Configuration