MTA-STS policy

Per RFC 8461

DNS stamp and HTTPS policy in one go; with version ID and drift hint.

What is this, and when do I need it?

What is this?

MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) forces receiving mail servers to use encrypted SMTP (STARTTLS) when delivering mail to you - and prevents silent fallback to cleartext on failure. That eliminates an entire class of downgrade attacks.

The policy has two parts: a DNS TXT record with a version ID and a policy file served via HTTPS at mta-sts.<domain>/.well-known/mta-sts.txt.

When do I need it?

As soon as you receive mail yourself (your own mail server or mail provider with MX records on your domain). If you only send mail, MTA-STS is not relevant - DMARC + SPF + DKIM is your lever instead.

Rollout: first testing mode for a few weeks so TLS-RPT reports surface any connection issues. Only then promote to enforce.

Should already be in place

  • TLS certificate for the mta-sts.<your-domain> subdomain (Let's Encrypt is fine)
  • Web server that serves the policy file at /.well-known/mta-sts.txt
_mta-sts.example.com per RFC 8461
_mta-sts.example.com.	TXT	"v=STSv1; id=1783101840"

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

https://mta-sts.example.com/.well-known/mta-sts.txt per RFC 8461
version: STSv1
mode: testing
mx: mx1.example.com
mx: mx2.example.com
max_age: 2592000

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

Publishing order:

  1. Serve the policy file at https://mta-sts.example.com/.well-known/mta-sts.txt (HTTPS required).
  2. Add the DNS record _mta-sts.example.com with the TXT value above.
  3. After 1-2 days, observe TLS-RPT reports. If no errors, switch mode from testing to enforce and bump the policy ID.

Every change to the policy file MUST come with a new policy ID, otherwise receiving MTAs keep serving the cached content.

Inspect an existing MTA-STS configuration

Checks the _mta-sts DNS TXT record and the policy at https://mta-sts.<domain>/.well-known/mta-sts.txt.

Try with:

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.

How to add this record at your DNS provider

The record generated above has three parts: the record type (typically TXT, occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual payload in quotes). Every DNS provider asks for these same three fields - only the menu wording differs.

INWX (Dernium default for new customers)
  1. Sign in at www.inwx.de.
  2. Tab Nameserver → pick the domain → Nameserver-Sets verwaltenDNS-Einträge.
  3. Button Neuen Eintrag anlegen.
  4. Pick a type (e.g. TXT), enter the host (empty for the root domain, otherwise e.g. _dmarc), paste the value, leave TTL at 3600.
  5. Save. Propagation typically within 5-15 minutes.
Strato
  1. Sign in to the Strato customer area.
  2. Menu Domains → pick the domain → Verwalten.
  3. Section DNS-VerwaltungNameserver/DNS-Einstellungen anpassen.
  4. Under Eigene DNS-Verwaltung pick the right record type (TXT records have their own block), enter host and value.
  5. Save. Strato typically propagates within 30-60 minutes.
Hetzner DNS Console
  1. Sign in at dns.hetzner.com.
  2. Click on the zone of your domain.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value.
  4. Save. Propagation typically under 5 minutes.
IONOS (1&1)
  1. Sign in to the IONOS customer center.
  2. Menu Domains & SSL → click the domain → DNS.
  3. Button Eintrag hinzufügen → pick a type, enter the host, paste the value into the content field.
  4. Save. Propagation typically 15-60 minutes.
Cloudflare
  1. Sign in to Cloudflare, pick the domain.
  2. Tab DNSRecords.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
  4. Save. Propagation typically under 2 minutes.

Note: If your DNS provider is not listed, you usually find the right place under headings like "DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps; the paths shown here are vendor-specific and can shift slightly with redesigns.