Mail Transfer Agent Strict Transport Security, or MTA-STS, is a security standard designed to protect your emails from interception and tampering. It ensures that when your mail server sends an email to a receiving server, the connection is encrypted using TLS (Transport Layer Security). A core component of an MTA-STS policy is the max_age directive. This value tells sending mail servers how long, in seconds, they should cache your domain's MTA-STS policy. This caching is a critical defense against downgrade attacks, where an attacker might try to force a connection to be unencrypted.
The max_age value represents a trade-off. A longer duration enhances security by ensuring sending servers remember your policy for an extended period, even if an attacker tries to interfere with DNS or the policy file itself. However, a very long duration can make it difficult to update your policy quickly if you need to change your mail servers or configuration. Finding the right balance is key.
Guidance from the official standard
The official standard for MTA-STS is defined in RFC 8461. This document provides the technical specifications that mail providers must follow. When it comes to the max_age value, the RFC is quite specific, defining a range to ensure policies are effective but also manageable.
According to the RFC, the value for max_age must be a positive integer between 86400 (one day) and 31557600 (one year). A value lower than one day is considered too short to provide meaningful protection, as policies could expire too quickly. Conversely, a value greater than a year is seen as potentially problematic for administrators who might need to make configuration changes.
Recommended max_age for testing vs. production
While the RFC provides a wide range, the ideal max_age value depends on what stage you are in with your MTA-STS implementation.
Initial setup and testing
When you first set up MTA-STS, it's wise to start with a lower max_age value. This allows you to quickly correct any mistakes in your policy file or DNS records without waiting a long time for cached policies to expire. A common recommendation for this phase is the minimum allowed value.
Using a max_age of 86400 (24 hours) during testing gives you the flexibility to make changes and see them take effect within a day. You should also set your policy mode to testing during this period. This combination ensures that you can receive TLS reports (TLSRPT) to verify your configuration without risking email delivery failures.
Stable production environment
Once you have verified that your MTA-STS policy is working correctly and you are not seeing any unexpected issues in your TLS reports, you should increase the max_age and switch the mode to enforce. A longer max_age provides greater security.
Here are some common and recommended values for a production environment:
- 604800 (7 days): This is a widely recommended minimum for production policies. It offers a good balance between security and administrative flexibility. A week-long cache ensures resilience against short-term attacks or outages while still allowing for planned configuration changes within a reasonable timeframe.
- 2592000 (30 days): A max_age of about a month provides a significant security boost. This is a great choice for organizations with a stable email infrastructure that does not change frequently.
- 31557600 (1 year): This is the maximum allowed value. Setting your policy's lifetime to a year offers the strongest protection against downgrade attacks. It should only be used if you are extremely confident in your setup and do not anticipate any changes to your MX records or TLS certificates for a long time.
Conclusion
In summary, there isn't a single max_age that fits all situations. The minimum recommended value depends on your operational stage. Start with the RFC-mandated minimum of 86400 during the testing phase to maintain flexibility. Once you have confirmed everything is working as expected, you should increase the max_age to at least 604800 (one week) for a robust production deployment. This approach ensures your email communications are secure while allowing for necessary administrative agility.
