MTA-STS (RFC 8461) lets a receiving domain require that senders use TLS with a validated certificate when delivering mail, closing the opportunistic-TLS gap that STARTTLS leaves. This tutorial walks through deploying MTA-STS on a UK business domain: publishing the DNS record, serving the HTTPS policy file, progressing from testing to enforce mode, and verifying the result.
testing modeenforce modeSTARTTLS is opportunistic — senders attempt TLS but fall back to plaintext if anything goes wrong. A network attacker can strip the STARTTLS advertisement or block the upgrade, and the sender delivers plaintext without warning. MTA-STS closes this gap by publishing a policy that senders must use TLS, must validate the certificate, and must refuse to deliver if either check fails.
The policy is discovered through a DNS TXT record (_mta-sts.domain) and fetched over HTTPS (https://mta-sts.domain/.well-known/mta-sts.txt). Senders cache the policy; during its lifetime, mail to your domain must use validated TLS or not deliver at all.
mta-sts.yourdomain (Let's Encrypt is fine).Create a TXT record at _mta-sts.yourdomain with contents:
_mta-sts.firm.co.uk. IN TXT "v=STSv1; id=20260423000000"The id value is a string of your choosing — typically a timestamp. Whenever you update the policy, increment the id so senders know to re-fetch. Common pattern: YYYYMMDDHHMMSS.
Your policy file lives at:
https://mta-sts.firm.co.uk/.well-known/mta-sts.txtTwo things must be true:
mta-sts.firm.co.uk has a valid HTTPS certificate (usually Let's Encrypt).Content-Type: text/plain.The file content (UNIX line endings):
version: STSv1
mode: testing
mx: mail.firm.co.uk
max_age: 604800
Fields:
version: STSv1 — always this value.mode — one of none, testing, enforce. Start with testing.mx — hostname(s) of your MX servers. Wildcards are permitted (*.firm.co.uk). List all MX targets.max_age — cache lifetime in seconds. 604800 (7 days) is typical during initial deployment; 1209600 (14 days) at steady state.testing modeIn testing mode, senders that support MTA-STS log any TLS failures (via TLS-RPT) but still deliver mail. No enforcement. This is the safe first state — if your MX certificate has a problem, you see it in reports without losing mail.
Wait at least two weeks. Collect TLS-RPT reports. Review for:
Publish a TLS-RPT record so senders know where to send failure reports:
_smtp._tls.firm.co.uk. IN TXT "v=TLSRPTv1; rua=mailto:[email protected]"Reports arrive daily from supporting receivers (Google, Microsoft, Fastmail, some UK providers). They contain counts of TLS successes and failures, policy match/mismatch data, and specific error codes for failures.
Use a processing service (Mail Hardener, EasyDMARC, dmarcian) to aggregate and visualise. Raw JSON is parseable but not friendly.
enforce modeOnce reports show clean TLS operation for two or more weeks — no certificate issues, senders correctly validating — tighten the policy:
version: STSv1
mode: enforce
mx: mail.firm.co.uk
max_age: 1209600
Also update the DNS id value to force senders to re-fetch:
_mta-sts.firm.co.uk. IN TXT "v=STSv1; id=20260507120000"In enforce mode, senders that support MTA-STS refuse to deliver to your domain if:
mx hostname in the policy.Mail arrival from these misconfigured senders is blocked. This is the intended behaviour — ensure your own infrastructure is clean before enabling enforce.
Test the components:
# Check DNS record
dig TXT _mta-sts.firm.co.uk
# Check policy file
curl -v https://mta-sts.firm.co.uk/.well-known/mta-sts.txt
# Online testing services
# - Hardenize (full stack audit)
# - NCSC Mail Check (for gov.uk accredited)
# - checktls.com
Expected: DNS record returns your v=STSv1 TXT, HTTPS returns the policy file with HTTP 200, online services report "MTA-STS policy found and valid".
To update (for example, adding a new MX host, changing mode, adjusting max_age):
id value in the DNS TXT to force re-fetch.max_age).Senders will fetch the new policy next time they see the updated id.
mail.firm.co.uk exactly.mta-sts.yourdomain host must be HTTPS-accessible from the internet./.well-known/mta-sts.txt with Content-Type: text/plain. Many default web server configurations handle this automatically.id. Senders cache the policy and will not see changes until the id changes. Always increment on each update.Q: Can I deploy MTA-STS without a separate mta-sts.yourdomain subdomain?
A: No — the policy file must be served at exactly https://mta-sts.yourdomain/.well-known/mta-sts.txt. You can host that subdomain on the same web server as your main site or on a separate host.
Q: Does the MTA-STS policy file hostname need to be different from my MX hostname?
A: Conceptually yes — mta-sts.firm.co.uk is the policy host and mail.firm.co.uk is the MX host. Technically you could alias them but in practice they are kept separate for operational clarity.
Q: What is the relationship between MTA-STS and DANE?
A: Complementary. MTA-STS uses HTTPS for policy distribution and does not require DNSSEC. DANE uses DNSSEC-signed TLSA records. Both aim to prevent TLS downgrade. Deploy both for redundancy.
Q: Do I need to restart my mail server after deploying MTA-STS?
A: No. MTA-STS is a policy published externally; it does not change your mail server's configuration. Your mail server's existing STARTTLS setup continues as before.
Q: How often do senders re-check my MTA-STS policy?
A: At least every max_age seconds. Many senders also re-check more frequently via the DNS record — if the id has changed they re-fetch the policy file.
Q: Can I point MTA-STS at multiple MX hosts?
A: Yes. List each on its own mx: line:
mx: mail1.firm.co.uk
mx: mail2.firm.co.ukmx: *.firm.co.ukQ: What happens if my MTA-STS HTTPS becomes temporarily unreachable?
A: Cached policies remain valid. New senders seeing the DNS record but unable to fetch the policy behave as if MTA-STS were absent — no enforcement, opportunistic STARTTLS only. Brief outages do not block mail.
Q: Can I use a CDN for my MTA-STS policy hosting?
A: Yes. The HTTPS server just needs to return the correct content at the correct path with a valid certificate. Cloudflare, Fastly, AWS CloudFront all work fine.
Q: Does MTA-STS require any changes to my mail client?
A: No. MTA-STS is between mail servers, not clients. Client mail access (IMAPS on 993, submission on 465 or 587) is unaffected.
Q: What is the rollback process if enforce mode breaks something?
A: Change the policy file to mode: testing and update the id. Within max_age seconds all caching senders have the new softer policy. For fast rollback, set a low max_age initially.