The short answer is that a TXT record is used for Mail Transfer Agent Strict Transport Security (MTA-STS) policy discovery. This special DNS record doesn't hold the policy itself, but it acts as a signpost, letting other mail servers know that you have an MTA-STS policy in place.
When a sending mail server wants to deliver an email to your domain, it first looks for this specific DNS record to see if you support MTA-STS. This is the very first step in the process of establishing a secure, encrypted connection for email delivery.
How the MTA-STS DNS record works
For MTA-STS to function, you need to publish a TXT record at a very specific location in your DNS. The record must be created for the subdomain _mta-sts.yourdomain.com (replacing yourdomain.com with your actual domain).
The underscore prefix is intentional and significant. As outlined in RFC 8552, this naming convention is used to separate special, service-specific records from regular DNS records, preventing any potential conflicts.
The content of this TXT record is quite simple. It typically contains two key-value pairs:
- v=STSv1: This indicates the version of the MTA-STS standard being used. Currently, STSv1 is the only version.
- id=2024010101: This is a unique identifier for your policy. If you ever update your policy file, you must also update this ID to signal to sending servers that they need to fetch the new version.
The discovery process
As the official RFC for MTA-STS explains, this DNS record is the key to policy discovery. The id value is particularly important. Sending servers will cache your MTA-STS policy for a set period. They only check for a new policy if the id in your DNS record has changed since the last time they looked.
Crucially, the TXT record only signals the existence of a policy. The policy itself, which specifies the rules for secure email transmission, is hosted as a plain text file on a web server over a secure HTTPS connection. The standard location for this file is https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The sending server fetches this file after it successfully finds and validates your TXT record.
What about CNAME records?
While the MTA-STS standard is built on the TXT record, you might encounter some services that ask you to create a CNAME record instead. For example, some email service providers that manage your MTA-STS policy for you might ask you to create a CNAME record for _mta-sts.yourdomain.com pointing to a domain they control (e.g., mta-sts.serviceprovider.com).
In this scenario, you are delegating the management of the MTA-STS DNS record. Your CNAME record simply points to their domain, and they are responsible for publishing the actual TXT record. This is a common practice for simplifying configuration, but underneath it all, a TXT record is still what sending servers are looking for.
