Suped

What port does MTA-STS typically use for policy fetching?

When you're setting up new email security standards, understanding the technical details, like which network ports are used, is crucial for a smooth implementation. MTA-STS (Mail Transfer Agent Strict Transport Security) is a key standard for protecting email in transit, but it has a couple of moving parts that can be confusing. A common question I see is about which port is used for fetching the MTA-STS policy file.

The short answer is that MTA-STS uses TCP port 443. This is the standard port for HTTPS traffic. The policy file isn't fetched over an email-specific port like 25 or 587, which is a common point of confusion. Instead, the process relies on the secure, established infrastructure of the web.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

How the policy fetching process works

MTA-STS is designed to tell a sending mail server that emails to your domain must be sent over an encrypted connection. To do this, the sending server needs to retrieve your domain's MTA-STS policy first. This process involves two key parts: a DNS record and a policy file hosted on a web server.

  • DNS Record: First, a sending server looks for a specific TXT record at _mta-sts.yourdomain.com. This record tells the world that you support MTA-STS and specifies the subdomain where your policy file is hosted.
  • Policy File: The sending server then makes an HTTPS request to retrieve the policy file from a well-known URL. The URL looks like this: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Because this policy is fetched using HTTPS, the connection automatically targets the standard HTTPS port, which is TCP 443. The security of the policy itself is paramount; it must be fetched over a secure channel to be trusted. Using HTTPS ensures the policy can't be tampered with in transit by a would-be attacker.

www.techtarget.com logo
Search Security says:
Visit website
The MTA-STS protocol is implemented by having a DNS record that specifies that a mail server can fetch a policy file from a defined subdomain.

Can you use a different port for MTA-STS?

While you can technically configure a web server to respond on any port, you should not use a non-standard port for your MTA-STS policy. The MTA-STS standard (RFC 8461) expects the policy to be available at a standard HTTPS URL. Sending mail servers are not designed to check for your policy on a custom port.

For example, some users attempting a manual setup might configure their web server to listen on an alternate port like 10443. However, a remote server trying to fetch mta-sts.yourdomain.com will connect to port 443 by default and will fail to find the policy file, rendering the entire MTA-STS setup ineffective.

To ensure your MTA-STS policy is discoverable and works as intended, you must host it on a web server that responds to requests on the standard TCP port 443.

Start improving your email deliverability today

Get started