SMTP MTA Strict Transport Security (MTA-STS) is a security standard that helps protect emails from interception and downgrade attacks. A critical part of implementing MTA-STS is correctly hosting your policy file. The policy file must be accessible at a very specific, standardized URL.
The directory path for the MTA-STS policy file is always within a .well-known folder on a specific subdomain. The complete URL structure is: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
Breaking down the policy file URL
To understand why this path is so specific, it's helpful to break it down into its core components. Every part of the URL has a distinct purpose defined by the MTA-STS standard (RFC 8461). Remote mail servers looking to send you email will programmatically construct this exact URL to fetch your policy.
- Protocol: https://. The connection must be secure, encrypted with TLS. An insecure http:// connection is not allowed and will cause validation to fail.
- Subdomain: mta-sts. The policy must be hosted on the dedicated 'mta-sts' subdomain of the domain it applies to.
- Directory: /.well-known/. This is a standardized path for hosting metadata and policy files across various internet protocols.
- Filename: mta-sts.txt. The policy itself must be a plain text file with this exact name.
The purpose of the `.well-known` directory
The use of a .well-known directory is not unique to MTA-STS. It is a common convention for making service information discoverable. For example, it's also used for challenges in issuing SSL certificates (ACME) and for other security policies. This standardized location ensures that automated systems can reliably find the policy file without any guesswork.
How to host your MTA-STS policy file
Since the policy is just a simple text file served over HTTPS, you have several options for hosting it. You can use a traditional web server or leverage cloud services. Some common methods include:
One popular and cost-effective method is using a service like GitHub Pages. As explained in an article by EighTwOne, you can create a repository to host your policy file and serve it directly. Other cloud services like AWS S3 or Azure Static Web Apps are also excellent choices. If you manage your own web server, such as IIS or Apache, you simply need to create the .well-known directory in the web root of your mta-sts subdomain and place the mta-sts.txt file inside it.
The essential DNS record
Having the policy file available at the correct path is only half the battle. You must also publish a DNS record to signal that you support MTA-STS. This is done by creating a TXT record at _mta-sts.yourdomain.com.
This record tells sending servers that they should look for the policy file. Without this DNS record, servers will not know to check for your MTA-STS policy, and the entire mechanism will not function. The TXT record contains a version tag and an ID, which you update whenever you make changes to your policy file.
What is the file name for an MTA-STS policy?
Does MTA-STS require DNSSEC for policy discovery?
What DNS record type is used for MTA-STS policy discovery?
What is the 'version' field in an MTA-STS policy?
What port does MTA-STS typically use for policy fetching?
What is the 'mode' field in an MTA-STS policy?
