When implementing MTA-STS (Mail Transfer Agent Strict Transport Security), getting the details right is crucial for it to work correctly. A common point of confusion is the exact filename and location required for the policy file. MTA-STS is a security standard that helps prevent man-in-the-middle attacks and ensures emails are sent over an encrypted TLS connection.
The short answer is that the required file name for an MTA-STS policy is mta-sts.txt. This specific name is mandated by the standard, defined in RFC 8461. However, just creating the file is not enough; it must be hosted at a very specific location to be discoverable by sending mail servers.
The location of the policy file
The MTA-STS policy file must be accessible via HTTPS on a specific subdomain and within a particular directory. The standard requires that the file be served from a subdomain named mta-sts for your domain. For example, if your domain is example.com, the policy must be hosted on mta-sts.example.com.
Furthermore, the file must be located within a directory named .well-known. This is a common convention for hosting policy and discovery files. Therefore, the complete URL for your MTA-STS policy file will be:
- https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
It is critical that this endpoint is secured with a valid TLS certificate and serves the file with a text/plain content type.
How the policy file is discovered
Sending servers don't just guess that this file exists. They are prompted to look for it by a DNS record. You must publish a TXT record for the subdomain _mta-sts.yourdomain.com. This record signals that you have an MTA-STS policy.
The content of this TXT record includes a version tag (v=STSv1) and an ID (id=...). The ID value is important for policy updates; whenever you change your mta-sts.txt file, you must also update the ID in your DNS record to signal to receiving servers that they should fetch the new policy.
Contents of the mta-sts.txt file
The policy file itself is a simple text file containing key-value pairs. Each pair defines a part of your policy. The primary directives are:
- version: The protocol version, which must be STSv1.
- mode: The policy mode. This can be enforce, testing, or none. The enforce mode tells servers to block delivery if a secure connection cannot be established.
- mx: One or more lines specifying the valid mail server hostnames for your domain (e.g., mx: mail.example.com).
- max_age: The maximum time in seconds that a sending server should cache the policy. This is typically set to a large value, like several weeks or months.
In summary, while the filename is a simple mta-sts.txt, a successful MTA-STS implementation depends on placing that file in the correct web location and publishing the corresponding DNS record to make it discoverable.
