Suped

What is the file name for an MTA-STS policy?

When implementing MTA-STS (Mail Transfer Agent Strict Transport Security), getting the details right is crucial for it to work correctly. A common point of confusion is the exact filename and location required for the policy file. MTA-STS is a security standard that helps prevent man-in-the-middle attacks and ensures emails are sent over an encrypted TLS connection.

datatracker.ietf.org logo
IETF Datatracker says:
Visit website
MTA-STS is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections.

The short answer is that the required file name for an MTA-STS policy is mta-sts.txt. This specific name is mandated by the standard, defined in RFC 8461. However, just creating the file is not enough; it must be hosted at a very specific location to be discoverable by sending mail servers.

eightwone.com logo
EighTwOne (821) says:
Visit website
Now, create the policy file that needs to be named mta-sts...
Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

The location of the policy file

The MTA-STS policy file must be accessible via HTTPS on a specific subdomain and within a particular directory. The standard requires that the file be served from a subdomain named mta-sts for your domain. For example, if your domain is example.com, the policy must be hosted on mta-sts.example.com.

developers.cloudflare.com logo
Cloudflare Docs says:
Visit website
Next you need an HTTPS endpoint at mta-sts.example.com to serve your policy file. This file defines the mail servers in the domain that use MTA-STS.

Furthermore, the file must be located within a directory named .well-known. This is a common convention for hosting policy and discovery files. Therefore, the complete URL for your MTA-STS policy file will be:

  • https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

It is critical that this endpoint is secured with a valid TLS certificate and serves the file with a text/plain content type.

How the policy file is discovered

Sending servers don't just guess that this file exists. They are prompted to look for it by a DNS record. You must publish a TXT record for the subdomain _mta-sts.yourdomain.com. This record signals that you have an MTA-STS policy.

www.mailmodo.com logo
Mailmodo says:
Visit website
The policy is published as a TXT record in the domain's DNS zone under the name _mta-sts. ... Step 1: Create the MTA-STS policy file. This step ...

The content of this TXT record includes a version tag (v=STSv1) and an ID (id=...). The ID value is important for policy updates; whenever you change your mta-sts.txt file, you must also update the ID in your DNS record to signal to receiving servers that they should fetch the new policy.

Contents of the mta-sts.txt file

The policy file itself is a simple text file containing key-value pairs. Each pair defines a part of your policy. The primary directives are:

  • version: The protocol version, which must be STSv1.
  • mode: The policy mode. This can be enforce, testing, or none. The enforce mode tells servers to block delivery if a secure connection cannot be established.
  • mx: One or more lines specifying the valid mail server hostnames for your domain (e.g., mx: mail.example.com).
  • max_age: The maximum time in seconds that a sending server should cache the policy. This is typically set to a large value, like several weeks or months.

In summary, while the filename is a simple mta-sts.txt, a successful MTA-STS implementation depends on placing that file in the correct web location and publishing the corresponding DNS record to make it discoverable.

Start improving your email deliverability today

Get started