When you're setting up new email security standards, understanding the technical details, like which network ports are used, is crucial for a smooth implementation. MTA-STS (Mail Transfer Agent Strict Transport Security) is a key standard for protecting email in transit, but it has a couple of moving parts that can be confusing. A common question I see is about which port is used for fetching the MTA-STS policy file.
The short answer is that MTA-STS uses TCP port 443. This is the standard port for HTTPS traffic. The policy file isn't fetched over an email-specific port like 25 or 587, which is a common point of confusion. Instead, the process relies on the secure, established infrastructure of the web.
How the policy fetching process works
MTA-STS is designed to tell a sending mail server that emails to your domain must be sent over an encrypted connection. To do this, the sending server needs to retrieve your domain's MTA-STS policy first. This process involves two key parts: a DNS record and a policy file hosted on a web server.
- DNS Record: First, a sending server looks for a specific TXT record at _mta-sts.yourdomain.com. This record tells the world that you support MTA-STS and specifies the subdomain where your policy file is hosted.
- Policy File: The sending server then makes an HTTPS request to retrieve the policy file from a well-known URL. The URL looks like this: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
Because this policy is fetched using HTTPS, the connection automatically targets the standard HTTPS port, which is TCP 443. The security of the policy itself is paramount; it must be fetched over a secure channel to be trusted. Using HTTPS ensures the policy can't be tampered with in transit by a would-be attacker.
Can you use a different port for MTA-STS?
While you can technically configure a web server to respond on any port, you should not use a non-standard port for your MTA-STS policy. The MTA-STS standard (RFC 8461) expects the policy to be available at a standard HTTPS URL. Sending mail servers are not designed to check for your policy on a custom port.
For example, some users attempting a manual setup might configure their web server to listen on an alternate port like 10443. However, a remote server trying to fetch mta-sts.yourdomain.com will connect to port 443 by default and will fail to find the policy file, rendering the entire MTA-STS setup ineffective.
To ensure your MTA-STS policy is discoverable and works as intended, you must host it on a web server that responds to requests on the standard TCP port 443.
What is the file name for an MTA-STS policy?
Does MTA-STS require DNSSEC for policy discovery?
What DNS record type is used for MTA-STS policy discovery?
What is the purpose of the 'id' tag in an MTA-STS policy TXT record?
Does MTA-STS ensure end-to-end encryption?
What is the 'version' field in an MTA-STS policy?
