MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers that they must use TLS when delivering email to your domain. Without MTA-STS, a man-in-the-middle attacker could perform a downgrade attack - stripping TLS encryption and reading email in transit.
How it works
- A DNS TXT record at
_mta-sts.yourdomain.comsignals that MTA-STS is enabled. - A policy file hosted at
https://mta-sts.yourdomain.com/.well-known/mta-sts.txtspecifies the policy details. - Sending servers check the policy and enforce TLS accordingly.
Policy modes
| Mode | Behavior |
|---|---|
none | No enforcement. MTA-STS is effectively disabled. |
testing | Failures are reported but email is still delivered without TLS if needed. |
enforce | TLS failures cause delivery to be rejected. Only use after confirming TLS works. |
Policy fields
The policy file contains the following fields:
version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 604800| Field | Purpose |
|---|---|
version | Must be STSv1 |
mode | none, testing, or enforce |
mx | Which MX servers to enforce TLS for (can list multiple) |
max_age | How long receivers cache the policy, in seconds (e.g. 604800 = 7 days) |
Hosting the policy file
The policy file must be served over HTTPS at a specific URL. Suped can host this for you automatically - see Hosted MTA-STS for setup instructions.
