Me by Howson

Online since 1998

MTA-STS Policy

This domain publishes an MTA-STS policy. The published policy can be viewed at mta-sts.howson.me/.well-known/mta-sts.txt.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism defined in RFC 8461 that allows a domain to declare that its mail servers support TLS and that sending servers should refuse to deliver mail if a valid TLS connection cannot be established. It also specifies which MX hostnames are legitimate for the domain, protecting against downgrade and DNS spoofing attacks.

Setting it up yourself

1. Create the policy file

You need a file served over HTTPS at exactly this path:

https://mta-sts.{yourdomain}/.well-known/mta-sts.txt

The file must be served with Content-Type: text/plain and use CRLF line endings. A typical policy looks like this:

version: STSv1
mode: enforce
mx: mail.{yourdomain}
max_age: 86400

Fields:

  • version — always STSv1
  • mode — one of enforce, testing, or none
    • Start with testing to receive reports without rejecting mail, then move to enforce once you are confident
  • mx — one entry per line for each valid MX hostname; wildcards are allowed (e.g. *.mail.{yourdomain})
  • max_age — how long (in seconds) sending servers should cache the policy; 86400 is one day, 604800 is one week

2. Set up the mta-sts subdomain

The subdomain mta-sts.{yourdomain} must serve the policy file over HTTPS with a valid certificate. You can use any web host or static site host for this — a single-file site on Cloudflare Pages, Netlify, or GitHub Pages works well.

The response must:

  • Use HTTPS (HTTP redirects do not satisfy the requirement)
  • Have a valid, non-expired TLS certificate for mta-sts.{yourdomain}
  • Return the policy at /.well-known/mta-sts.txt with a 200 OK status

3. Publish the DNS record

Add a TXT record at _mta-sts.{yourdomain} to advertise that a policy exists and to signal updates:

_mta-sts.{yourdomain}  IN  TXT  "v=STSv1; id={policyid}"

The id value is an arbitrary string (often a timestamp like 20240101000000) that must change every time you update the policy file. Sending servers cache the policy using this ID — if the ID hasn’t changed, they will use their cached copy.

Example:

_mta-sts.howson.me  IN  TXT  "v=STSv1; id=20240901120000"

4. Optionally publish a TLSRPT record

TLSRPT (RFC 8460) lets sending servers report TLS failures back to you. Add a TXT record at _smtp._tls.{yourdomain}:

_smtp._tls.{yourdomain}  IN  TXT  "v=TLSRPTv1; rua=mailto:tlsrpt@{yourdomain}"

Reports arrive as JSON files (similar to DMARC reports) and are useful for catching misconfigured certificates or MX mismatches before switching to enforce mode.

Verifying your policy

Once DNS has propagated and the policy file is live, you can verify your setup with:

  • MTA-STS Validator — checks the policy file and DNS record
  • dig TXT _mta-sts.{yourdomain} — confirms the DNS record is published
  • curl https://mta-sts.{yourdomain}/.well-known/mta-sts.txt — confirms the file is reachable over HTTPS