MTA-STS, or Mail Transfer Agent Strict Transport Security, is an important security standard designed to enforce TLS encryption for SMTP connections. This helps prevent man-in-the-middle attacks and ensures that email traffic between supporting servers is always encrypted. At its heart lies the MTA-STS policy file, which dictates how sending mail servers should interact securely with your domain.
The policy file itself is a simple plain text file that contains a series of key-value pairs. Each pair is placed on its own line, providing clear instructions to external mail servers attempting to deliver email to your domain. Understanding this format is essential for any organization looking to enhance their email security posture and ensure reliable message delivery.
Properly configuring this file is critical. An incorrectly formatted or inaccessible policy can lead to email delivery issues or, worse, leave your domain vulnerable to downgrade attacks where encryption is bypassed. We will explore the structure, necessary fields, and hosting requirements to ensure your MTA-STS implementation is robust.
Core components of the MTA-STS policy file
Core components of the MTA-STS policy file
Every MTA-STS policy file must begin with a version field. This key, typically set to STSv1, indicates the protocol version of the policy. It's crucial for mail servers to understand which standard to apply when interpreting the policy's directives. Without a correctly specified version, the policy may be ignored entirely.
Next, the mode field defines the policy's enforcement level. This is a critical setting that tells a sending server how strictly to apply MTA-STS. There are three possible values: enforce, testing, and none. Each one has different implications for email delivery and security.
The max_age field, specified in seconds, indicates how long a sending server should cache your MTA-STS policy. This value dictates the policy's freshness and how frequently a sending server should re-fetch it. A recommended max_age is typically around 604800 seconds (seven days), balancing efficiency with the need to propagate policy changes quickly.
Finally, the mx field lists the MX hosts that are authorized to receive mail for your domain. This acts as a whitelist, ensuring that only specified mail exchangers can receive encrypted email under your policy. If your MX records change, it's vital to update this field promptly to prevent delivery failures. You can learn more about what the mx field is used for.
Field
Description
Example Value
version
Indicates the policy protocol version.
STSv1
mode
Specifies the policy enforcement level.
enforce, testing, or none
max_age
Duration in seconds for policy caching.
604800
mx
List of authorized MX hosts.
mail.example.com
Hosting and retrieval of the policy
Hosting and retrieval of the policy
The MTA-STS policy file must be hosted on a web server over HTTPS. The exact file name is mta-sts.txt, and it resides within a specific directory path: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This standardized location ensures that other mail servers can easily discover and retrieve your policy.
To enable policy discovery, you also need a corresponding DNS record in your domain's DNS. This record, typically a TXT record for _mta-sts.yourdomain.com, contains a version and id tag, which acts as a timestamp for policy changes. For comprehensive guidance on creating the policy, Google provides detailed instructions on their support page.
If a sending server attempts to retrieve your policy and the file is not found or returns an error, the behavior of the sending server depends on the cached policy and the mode setting. This is why meticulous hosting and consistent DNS updates are paramount for maintaining MTA-STS efficacy.
Policy file syntax and validation
Policy file syntax and validation
The policy file must adhere to specific syntax rules. Each key-value pair, such as version: STSv1, should be on a separate line. Both Windows (\r\n) and UNIX (\n) style line separations are acceptable, and other whitespace characters are generally ignored. Microsoft provides further details on this within their documentation for enhancing mail flow.
The web server hosting the MTA-STS policy file must also return the correct content-type. It should be text/plain or application/json. Additionally, a successful retrieval requires the server to return an HTTP status code of 200 OK. Any other status code, like a 404 Not Found, will cause the sending server to treat the policy as unavailable or invalid.
Common MTA-STS configuration pitfalls
Incorrect file name: Policy must be exactly mta-sts.txt. Case sensitivity matters.
Wrong directory: Ensure the file is in the /.well-known/ path.
Missing DNS TXT record: Without the _mta-sts record, policy discovery fails.
Outdated policy: MX record changes require a new policy id and updated mta-sts.txt file.
Incorrect configuration
Policy file at wrong URL
Missing or malformed DNS TXT record for policy
Web server returns 404 or non-200 HTTP status
Correct configuration
Policy file accessible at https://mta-sts.domain.com/.well-known/mta-sts.txt
DNS TXT record v=STSv1; id=20240101T000000Z;
Web server returns HTTP 200 OK and Content-Type: text/plain
Example MTA-STS policy file
Example MTA-STS policy file
Here is a practical example of a well-formed MTA-STS policy file, demonstrating all the mandatory fields configured for secure email delivery to a domain:
Example MTA-STS policy file (mta-sts.txt)plaintext
The MTA-STS policy file is a fundamental component for implementing strong email security. Its plain text, key-value pair format is straightforward, but strict adherence to syntax and hosting requirements is paramount. Misconfigurations can lead to significant deliverability issues or, worse, compromise the encryption MTA-STS is designed to enforce.
Regularly reviewing your MTA-STS setup, including the policy file content, its hosting, and corresponding DNS records, is a best practice. Tools like Suped can help monitor your domain's email authentication, including DMARC, SPF, and DKIM, providing a holistic view of your email security. While MTA-STS complements these, proper configuration of each element ensures your messages reach the inbox securely and reliably.
