DNS stamp and HTTPS policy in one go; with version ID and drift hint.
What is this, and when do I need it?
What is this?
MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) forces receiving mail
servers to use encrypted SMTP (STARTTLS) when delivering mail to you - and prevents silent
fallback to cleartext on failure. That eliminates an entire class of downgrade attacks.
The policy has two parts: a DNS TXT record with a version ID and a policy file served via
HTTPS at mta-sts.<domain>/.well-known/mta-sts.txt.
When do I need it?
As soon as you receive mail yourself (your own mail server or mail provider with MX records
on your domain). If you only send mail, MTA-STS is not relevant - DMARC + SPF + DKIM is your
lever instead.
Rollout: first testing mode for a few weeks so TLS-RPT reports
surface any connection issues. Only then promote to enforce.
Should already be in place
TLS certificate for the mta-sts.<your-domain> subdomain (Let's Encrypt is fine)
Web server that serves the policy file at /.well-known/mta-sts.txt
Serve the policy file at https://mta-sts.example.com/.well-known/mta-sts.txt (HTTPS required).
Add the DNS record _mta-sts.example.com with the TXT value above.
After 1-2 days, observe TLS-RPT reports. If no errors, switch mode from testing to enforce and bump the policy ID.
Every change to the policy file MUST come with a new policy ID, otherwise receiving MTAs keep serving the cached content.
Inspect an existing MTA-STS configuration
Checks the _mta-sts DNS TXT record and the policy at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Try with:
Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.
How to add this record at your DNS provider
The record generated above has three parts: the record type (typically TXT,
occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual
payload in quotes). Every DNS provider asks for these same three fields - only the menu wording
differs.
Button Add record → pick a type, enter the name (use @ for the
root domain), paste the value.
Save. Propagation typically under 5 minutes.
IONOS (1&1)
Sign in to the IONOS customer center.
Menu Domains & SSL → click the domain → DNS.
Button Eintrag hinzufügen → pick a type, enter the host, paste the value into
the content field.
Save. Propagation typically 15-60 minutes.
Cloudflare
Sign in to Cloudflare, pick the domain.
Tab DNS → Records.
Button Add record → pick a type, enter the name (use @ for
the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
Save. Propagation typically under 2 minutes.
Note: If your DNS provider is not listed, you usually find the right place under headings like
"DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps;
the paths shown here are vendor-specific and can shift slightly with redesigns.