When implementing MTA-STS (Mail Transfer Agent Strict Transport Security), getting the details right is crucial for it to work correctly. A common point of confusion is the exact filename and location required for the policy file. MTA-STS is a security standard that helps prevent man-in-the-middle attacks and ensures emails are sent over an encrypted TLS connection.
The short answer is that the required file name for an MTA-STS policy is mta-sts.txt. This specific name is mandated by the standard, defined in RFC 8461. However, just creating the file is not enough; it must be hosted at a very specific location to be discoverable by sending mail servers.
The location of the policy file
The MTA-STS policy file must be accessible via HTTPS on a specific subdomain and within a particular directory. The standard requires that the file be served from a subdomain named mta-sts for your domain. For example, if your domain is example.com, the policy must be hosted on mta-sts.example.com.
Furthermore, the file must be located within a directory named .well-known. This is a common convention for hosting policy and discovery files. Therefore, the complete URL for your MTA-STS policy file will be:
- https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
It is critical that this endpoint is secured with a valid TLS certificate and serves the file with a text/plain content type.
How the policy file is discovered
Sending servers don't just guess that this file exists. They are prompted to look for it by a DNS record. You must publish a TXT record for the subdomain _mta-sts.yourdomain.com. This record signals that you have an MTA-STS policy.
The content of this TXT record includes a version tag (v=STSv1) and an ID (id=...). The ID value is important for policy updates; whenever you change your mta-sts.txt file, you must also update the ID in your DNS record to signal to receiving servers that they should fetch the new policy.
Contents of the mta-sts.txt file
The policy file itself is a simple text file containing key-value pairs. Each pair defines a part of your policy. The primary directives are:
- version: The protocol version, which must be STSv1.
- mode: The policy mode. This can be enforce, testing, or none. The enforce mode tells servers to block delivery if a secure connection cannot be established.
- mx: One or more lines specifying the valid mail server hostnames for your domain (e.g., mx: mail.example.com).
- max_age: The maximum time in seconds that a sending server should cache the policy. This is typically set to a large value, like several weeks or months.
In summary, while the filename is a simple mta-sts.txt, a successful MTA-STS implementation depends on placing that file in the correct web location and publishing the corresponding DNS record to make it discoverable.
Which DMARC tag specifies the policy for subdomains?
Is the 'sp' tag mandatory in a DMARC record?
What DMARC policy setting offers the strongest protection?
What DMARC tag indicates the policy version?
What is the specific format for the BIMI TXT record name?
What type of certificate is used for BIMI logos?
