Mail Transfer Agent Strict Transport Security (MTA-STS) is an important security standard designed to protect email in transit. It ensures that when email servers communicate with each other, they do so over an encrypted TLS connection, preventing eavesdropping and certain types of cyberattacks.
At its core, MTA-STS works by having you publish a policy file on a specific web address. This policy file tells sending mail servers what to expect when they connect to your mail servers. The file contains a few key-value pairs, and one of the most important, yet sometimes overlooked, is the version tag.
The anatomy of an MTA-STS policy
Before diving into the version tag, it helps to understand the policy file as a whole. This is a simple text file, typically hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. It contains four main directives:
- version: The policy version identifier. We'll focus on this.
- mode: Can be enforce, testing, or none. This determines whether servers should actually block emails that fail the policy checks.
- mx: A list of your domain's authorised mail server hostnames.
- max_age: The maximum time in seconds that a sending server should cache this policy.
The purpose of the 'version' tag
The primary purpose of the version tag is to signal a change in your policy. Think of it as a revision number. When a remote mail server first connects to send you an email, it fetches your MTA-STS policy and stores it in its cache for the duration specified by max_age.
If you need to update your policy, for example by adding a new mail server to the mx list or changing the mode, you must also update the version tag. This is crucial because sending servers use the version to determine if their cached policy is still valid. If they see a new version ID, they know to discard their old, cached policy and fetch the new one. If you don't change the version, sending servers will continue to use your old policy until their cache expires, which could take days or weeks.
Best practices for the version value
The MTA-STS standard (RFC 8461) states that the version should be a plain string of 1 to 32 alphanumeric characters. There's no mandated format, but a common and effective practice is to use a timestamp, like the current date and time in a numeric format (e.g., 20230921103000). This ensures the ID is always unique every time you make a change. A simple incrementing number (e.g., v1, v2) also works perfectly well.
In short, while it's just a small string of text, the version tag is the critical mechanism that makes your MTA-STS policy manageable and effective over time. Forgetting to update it can lead to delivery failures when you change your mail infrastructure, as sending servers will be operating on outdated information.
What is the purpose of the 'id' tag in an MTA-STS policy TXT record?
What is the 'version' field in an MTA-STS policy?
What is the 'policy_text_version' in MTA-STS?
What is the purpose of the MTA-STS policy 'id' value?
What is the format of the MTA-STS policy file?
What is the 'v' tag in an MTA-STS policy TXT record?
