MTA-STS (MTA Strict Transport Security) is an email authentication and security protocol used to signal the desire to use encrypted channels in between email server.

MTA-STS needs two TXT records added to the domain's DNS into the name _mta-sts and _smtp._tls, in conjunction with a dedicated HTTPS server and sub-domain to host the policy file. IN TXT "v=STSv1; id=20230601000000" IN TXT "v=TLSRPTv1; rua=mailto:…"

The id is a unique value (here, a date-time) that shall be changed in case the policy changes.

The rua is an email address used to receive reports about failed emails, similar to the parameter in DKIM.

The policy definition needs to be hosted on an HTTPS server under the sub-domain mta-sts and inside a file called mta-sts.txt under a folder .well-known. The website shall be available using HTTPS and a valid certificate.

To check the MTA-STS record, use host or dig:

$ host -t TXT descriptive text "v=STSv1; id=20230601000000"
$ host -t TXT descriptive text "v=TLSRPTv1; rua=mailto:…"
$ dig +short -t TXT
"v=STSv1; id=20230601000000"
$ dig +short -t TXT
"v=TLSRPTv1; rua=mailto:…"

To check the MTA-STS policy use curl or wget or a browser:

$ curl -s ''
version: STSv1
mode: enforce
mx: …
max_age: 604800

A simple and free website can be provisioned through GitHub Pages.

However, the default pages action does not deploy folders with a leading dot unless a config file _config.yml is added. José Ferreira from AnubisNetworks has a ready-made template at MTA-STS Website template using GitHub Pages.

An alternative is to use a dedicated and extendable action. See GitHub Pages and GitHub Pages Action, as well as this site's action workflow.

The MTA-STS DNS and website can be validated using Google if the domain is set up on Google Workspace under "Apps" - "Google Workspace" - "Gmail" - "Compliance" and at the end of the page there is a link to validate MTA-STS.

Note: the Google Workspace Admin Help mentions a "Security Health" page but the Google Workspace "legacy" does not show any item there.