View Source

SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. SMTP DANE is another mechanism that provides similar functionality.

Large scale providers like Google have adopted the MTA-STS standard. Unlike opportunistic TLS, MTA-STS makes it clear to sending servers how to transmit messages. MTA-STS policies are distributed via HTTPS from a "well-known" path served within the Policy Domain, and their presence and current version are indicated by a DNS TXT record at the Policy Domain. These DNS TXT records additionally contain a policy "id" field, allowing Sending MTAs to check that a cached policy is still current without performing an HTTPS request. It is expected that sending MTA's will cache these results. To discover if a recipient domain implements MTA-STS, a sender need only resolve a single TXT record. To see if an updated policy is available for a domain for which the sender has a previously cached policy, the sender need only check the TXT record's version "id" against the cached value.

The benefit of this standard:

Hinders downgrade attacks
Removes the risk of man-in-the-middle (MITM) attacks
Requires all certificates to be properly chained to a valid CA
Solves the issue of expired TLS certificates
Works without DNSSEC

MTA-STS Policy Definition

Below lists the required fields for creating a MTA-STS policy. IMPORTANT: The filename for the text file must be mta-sts.txt. It's extremely important that you make sure you verify the content of your policy file. There are several free tools to check this like: https://easydmarc.com/tools/mta-sts-check?domain=talktalk.net

Key	Value
version	Protocol version. Must be STSv1 This MUST be the first the first line of the policy file. All other keys can be in any order.
mode	Policy mode: testing: External servers send you reports about encryption and other issues detected when connecting to your domain. MTA-STS encryption and authentication requirements are not enforced enforce: If the SMTP connection doesn't have both authentication and encryption, mail servers set up for MTA-STS won't send messages to your domain. You also get reports from external servers about connection issues, as in testing mode. none: Tells external servers that your domain no longer supports MTA-STS. Use this value if you stop using MTA-STS.
mx	MX record for the domain. The policy must have an mx entry for each MX record added to the domain. Each mx entry must be on its own line in the policy file, as shown in the example. The certificate presented by the receiving MTA must not be expired and must chain to a root CA that is trusted by the Sending MTA. The mail server name must be in standard Subject Alternative Name (SAN) that matches the hostname. The mx value must be in one of the formats shown in these examples: Specify a single server in standard MX form: mx001.tt.xion.oxcs.net To specify servers that match a naming pattern, use a wildcard. The wildcard character replaces one leftmost label only, for example: The mx pattern "*.example.com" matches "mail.example.com" but not "example.com" or "foo.bar.example.com"
max_age	Maximum time in seconds the policy is valid. The max_age is reset for an external server every time the server checks the policy. So, external servers can have different expiration dates for the same policy. The value must be between 86400 (1 day) and 31557600 (about 1 year). For testing mode, we recommend between 604800 and 1209600 (1–2 weeks).

Sample MA-STS Record and Policy File

$ dig TXT _mta-sts.google.com +short
"v=STSv1; id=20210803T010101;"
$ curl https://mta-sts.google.com/.well-known/mta-sts.txt
version: STSv1
mode: enforce
mx: smtp.google.com
mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
max_age: 86400

OX Roadmap

In Q1 2025 we plan to enable support for MTA-STS on our OX Cloud US platform.

Once support for MTA-STS is enabled on the MTA side, the endusers decide whether they want to leverage this functionality by creating the DNS entry and the policy file.

How to start using MTA-STS?

Step 1. Create the Policy in Testing Mode.

Step 2. Upload the TXT file to the webserver

Step 3. Publish the DNS Record

Step 4. Doublecheck the syntax of the Policy + do a mail roundtrip check - MTA-STS is now active for your domain

(Step 5. Setup TLS-RPT) Not currently available at OX

Step 6. Change the Mode to "Enforce"

Step 7. Update the Version ID in your DNS record.