Mail Transfer Agent Strict Transport Security, or MTA-STS, is a security standard designed to protect emails from man-in-the-middle and downgrade attacks. It works by allowing a domain to publish a policy that requires sending mail servers to use an encrypted TLS connection. If a secure connection can't be established, the email isn't delivered, which prevents it from being intercepted or tampered with in transit.
This policy is defined in a simple text file hosted at a specific web address. The file contains several key-value pairs that configure the security requirements. One of the most fundamental, yet sometimes confusing, fields in this policy is the version field.
The purpose of the 'version' field
The version field, often written as v= in DNS records, is simply a protocol version identifier. Its primary job is to tell the sending mail server which version of the MTA-STS standard the policy adheres to. As of today, there is only one version.
For any MTA-STS policy to be considered valid, the value for the version field must be STSv1. This is not optional. The official standard, RFC 8461, explicitly defines this requirement. Although the standard was designed with future versions in mind, no new versions have been released yet.
What does a policy file look like?
To give you some context, here are the key fields that make up a typical MTA-STS policy file:
- version: The protocol version, which must be STSv1.
- mode: This defines how strictly the policy should be applied. The possible values are testing, enforce, or none.
- mx: A list of your domain's authorized mail server hostnames (the mail exchangers from your MX records).
- max_age: The maximum time in seconds that a sending server should cache the policy.
A simple policy file might look like this:
version: STSv1
mode: testing
mx: mail.example.com
max_age: 86400
What happens if the version is wrong?
If the version field is missing, misspelled, or set to anything other than STSv1, sending servers will treat the entire policy as invalid. They will ignore it completely, and your domain will not be protected by MTA-STS. It's a simple but strict requirement; there is no room for error.
In short, while it may seem like a minor detail, the version: STSv1 declaration is the cornerstone of a valid MTA-STS policy. Without it, the other settings like mode and mx have no effect, leaving your email communication vulnerable.
What is the DMARC version specified by the 'v' tag?
What DMARC tag indicates the policy version?
What DKIM tag indicates the version of the specification?
What is the file name for an MTA-STS policy?
What DNS record type is used for MTA-STS policy discovery?
What is the purpose of the 'id' tag in an MTA-STS policy TXT record?
