MTA-STS (MTA Strict Transport Security) is an email authentication and security protocol used to signal the desire to use encrypted channels in between email server.
MTA-STS needs two
TXT records added to the domain's DNS into the name
_smtp._tls, in conjunction with a dedicated HTTPS server and sub-domain to host the policy file.
_mta-sts.example.com IN TXT "v=STSv1; id=20230601000000" _smtp._tls.example.com IN TXT "v=TLSRPTv1; rua=mailto:…@example.com"
id is a unique value (here, a date-time) that shall be changed in case the policy changes.
rua is an email address used to receive reports about failed emails, similar to the parameter in DKIM.
The policy definition needs to be hosted on an HTTPS server under the sub-domain
mta-sts and inside a file called
mta-sts.txt under a folder
.well-known. The website shall be available using HTTPS and a valid certificate.
To check the MTA-STS record, use
$ host -t TXT _mta-sts.litux.org _mta-sts.litux.org descriptive text "v=STSv1; id=20230601000000" $ host -t TXT _smtp._tls.litux.org _smtp._tls.litux.org descriptive text "v=TLSRPTv1; rua=mailto:…@litux.org" $ dig +short -t TXT _mta-sts.litux.org "v=STSv1; id=20230601000000" $ dig +short -t TXT _smtp._tls.litux.org "v=TLSRPTv1; rua=mailto:…@litux.org"
To check the MTA-STS policy use
wget or a browser:
$ curl -s 'https://mta-sts.litux.org/.well-known/mta-sts.txt' version: STSv1 mode: enforce mx: … max_age: 604800
A simple and free website can be provisioned through GitHub Pages.
However, the default
pages action does not deploy folders with a leading dot unless a config file
_config.yml is added. José Ferreira from AnubisNetworks has a ready-made template at MTA-STS Website template using GitHub Pages.
The MTA-STS DNS and website can be validated using Google if the domain is set up on Google Workspace under "Apps" - "Google Workspace" - "Gmail" - "Compliance" and at the end of the page there is a link to validate MTA-STS.
Note: the Google Workspace Admin Help mentions a "Security Health" page but the Google Workspace "legacy" does not show any item there.
AnubisNetworks: MTA-STS Domain Verification
AnubisNetworks: MTA-STS Website template using GitHub Pages
Google Workspace Admin Help: Turn on MTA-STS and TLS reporting
Google Workspace Admin Help: Check your MTA-STS configuration