Mail Transfer Agent Strict Transport Security (MTA-STS) is a security standard designed to protect email in transit. It ensures that when mail servers connect using SMTP, the connection is encrypted with TLS. A core component of MTA-STS is the policy file, a simple text file that dictates the rules for secure email delivery to your domain.
This file tells sending mail servers which of your mail servers are legitimate and that they must use an encrypted connection. As the official RFC 8461 specifies, it’s a way for mail service providers to declare their ability to receive secure connections.
Let's break down the exact format of this policy file.
File location and accessibility
Before we get into the file's contents, it's critical to know where it lives. The MTA-STS policy file must be a plain text file named mta-sts.txt. It needs to be hosted via HTTPS on a specific subdomain, mta-sts, and placed in a specific directory.
The full, exact URL will be: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
This URL structure is non-negotiable. Sending servers will look for your policy at this exact location and nowhere else. As noted by the SANS Internet Storm Center, implementing the standard involves two parts: a DNS TXT record to advertise support and the policy file itself.
Policy file directives
The policy file uses a simple key-value format. Each line contains a directive (the key) followed by a colon and its value. Any lines that don't parse correctly are ignored by sending servers. Here are the required and optional directives:
- version: (Required) This specifies the version of the MTA-STS standard being used. Currently, the only valid value is MTA-STSv1. This must be the first line in the file.
- mode: (Required) This defines the enforcement mode. There are three options: enforce (actively block insecure connections), testing (report policy failures but don't block mail, useful with TLS-RPT), or none (disables MTA-STS).
- max_age: (Required) This value, in seconds, tells sending servers how long to cache this policy. A common value is 604800 (7 days). A higher value reduces the frequency of policy checks but makes updates slower to propagate.
- mx: (Required, one or more) Each mx directive lists a mail server hostname (or a wildcard) that is authorized to receive mail for your domain. You must list all your MX hosts.
Example policy file
Putting it all together, a simple but effective MTA-STS policy file would look like this. This example is for a domain with two mail exchangers, it sets the mode to testing, and sets a max age of 30 days.
version: MTA-STSv1
mode: testing
max_age: 2592000
mx: mail.yourdomain.com
mx: mail-backup.yourdomain.com
Once you have created this file and hosted it at the correct URL, you'll need to create the corresponding DNS record to activate the policy. A correctly formatted policy file is the foundation of a successful MTA-STS deployment, helping to secure your domain's email against interception and downgrade attacks.
What is the file name for an MTA-STS policy?
What is the 'mode' field in an MTA-STS policy?
What is the directory path for the MTA-STS policy file?
What is the 'policy_text_version' in MTA-STS?
Does MTA-STS require a dedicated server for its policy file?
What is the content-type for an MTA-STS policy file?
