Suped

Does MTA-STS affect DNS records for email?

Yes, Mail Transfer Agent Strict Transport Security (MTA-STS) absolutely affects your DNS records. In fact, it relies entirely on DNS to function. MTA-STS is an email security standard designed to protect your inbound email from man-in-the-middle attacks by ensuring connections use encrypted TLS.

It works by allowing a domain to publish a policy that states its mail servers will only accept emails over a secure, encrypted connection. A sending server that supports MTA-STS will check for this policy before sending an email, and if it finds one, it will refuse to send the email over an unencrypted connection. This prevents attackers from intercepting and reading your emails.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

How MTA-STS uses DNS

The entire MTA-STS discovery process begins with a DNS lookup. For a domain to signal that it supports MTA-STS, it must have a specific TXT record in its DNS zone.

vand3rlinden.com logo
VAND3RLINDEN says:
Visit website
When a sending mail server (MTA) wants to deliver an email to a domain, it first checks for the presence of the _mta-sts.example.com DNS TXT record.

Implementing MTA-STS requires you to make two primary changes to your DNS:

  • The MTA-STS TXT Record: You must create a TXT record at the subdomain _mta-sts.yourdomain.com. This record doesn't contain the policy itself. Instead, it signals support for MTA-STS and provides a unique ID that indicates the current version of your policy. An example record looks like this: v=STSv1; id=20240520T100000Z;.
  • The Policy File Host Record: The TXT record tells sending servers to look for a policy file hosted on a specific web server. This policy file must be accessible at a defined subdomain, specifically https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. To make this work, you need to create an A or CNAME record for the mta-sts subdomain, pointing to the server that hosts your policy file.
github.com logo
GitHub says:
Visit website
To implement MTA-STS for your domain(s), you must do the following: Add an A or CNAME type DNS record at mta-sts.yourdomain.com.

Ongoing DNS management and dependencies

MTA-STS doesn't just affect your initial DNS setup. It creates an ongoing dependency between your DNS records and your email infrastructure. The MTA-STS policy file contains a list of your authorized mail server names (your MX records). If you ever change your mail provider or update your MX records, you must also update your MTA-STS policy file to reflect these changes.

www.verifydmarc.com logo
VerifyDMARC says:
Visit website
You update your MTA-STS policy file with the new MX records and MTA-STS DNS record ID; Email delivery continues with disruption minimised.

Failure to keep your MTA-STS policy synchronized with your MX records can lead to email delivery failures. Sending servers will see a mismatch, and according to your own policy, they will refuse to deliver the mail.

Furthermore, sending servers cache your MTA-STS policy for a duration specified by the max_age value within the policy file. This means any changes you make to your policy or DNS records will not propagate instantly across the internet. You need to plan for this delay when making changes to your email setup to avoid service interruptions.

A crucial part of email security

In summary, MTA-STS is fundamentally linked to DNS. It requires specific DNS records to be created and maintained. While adding a layer of management complexity, it provides a powerful mechanism to enforce encrypted email transport, protecting your domain from eavesdropping and certain types of cyberattacks. Proper configuration of these DNS records is the first and most critical step in deploying MTA-STS successfully.

Start improving your email deliverability today

Get started