Mail Transfer Agent Strict Transport Security, or MTA-STS, is a security standard that helps protect emails from man-in-the-middle attacks. It ensures that when mail servers connect to exchange emails, they use an encrypted TLS connection. MTA-STS works by allowing a domain to publish a policy that specifies its mail servers must use encryption and provides the expected server names. A core part of this policy is the max_age directive, which plays a crucial role in how this security mechanism functions.
The MTA-STS policy itself is a simple text file hosted on a specific subdomain. This file contains key-value pairs that define the security requirements for your domain. Besides the version and mode, the max_age field is one of the most important settings.
What is the 'max_age' field?
The max_age field in an MTA-STS policy specifies the lifetime of the policy in seconds. It tells sending mail servers how long they should cache your domain's MTA-STS policy before they need to fetch it again. Essentially, it dictates the policy's maximum valid duration from the moment it is retrieved by a sending server.
When a remote mail server wants to send an email to your domain, it first checks for an MTA-STS policy. If it finds one, it downloads and caches it. The max_age value within that policy determines how long the sending server will rely on this cached version before it attempts to re-validate and download a new one. This caching mechanism is vital for efficiency and resilience.
Why is `max_age` important?
The max_age directive is important for two primary reasons: performance and security continuity.
- Performance: By caching the policy, sending servers don't need to perform a DNS lookup and an HTTPS request to fetch your policy file for every single email. This reduces latency and the load on both the sending and receiving infrastructure.
- Resilience: If your web server hosting the MTA-STS policy file becomes temporarily unavailable, servers with a cached policy will continue to enforce it. This ensures that your email security posture remains intact during short outages, preventing potential downgrade attacks.
What is a good `max_age` value?
Choosing the right max_age value depends on your policy's stability. When you are first setting up MTA-STS or making changes, it's wise to use a lower value. A common initial value is 86400 (24 hours). This allows you to quickly propagate any corrections if you find an issue with your setup, especially while your policy is in testing mode.
Once you are confident in your policy and have switched the mode to enforce, you should increase the max_age. A typical value is 604800 (one week), but it can be set much higher. The IETF recommendation allows for values up to 31557600 (about one year). A longer duration improves resilience against policy hosting outages but means that any planned changes to your mail infrastructure (like changing MX records) will take longer to be recognized by all sending servers.
What is the file name for an MTA-STS policy?
What is the purpose of the 'id' tag in an MTA-STS policy TXT record?
What is the 'version' field in an MTA-STS policy?
What port does MTA-STS typically use for policy fetching?
What is the 'mode' field in an MTA-STS policy?
What is the 'mx' field in an MTA-STS policy used for?
