SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. SMTP DANE is another mechanism that provides similar functionality.
Large scale providers like Google have adopted the MTA-STS standard. Unlike opportunistic TLS, MTA-STS makes it clear to sending servers how to transmit messages. MTA-STS policies are distributed via HTTPS from a "well-known" path served within the Policy Domain, and their presence and current version are indicated by a DNS TXT record at the Policy Domain. These DNS TXT records additionally contain a policy "id" field, allowing Sending MTAs to check that a cached policy is still current without performing an HTTPS request. It is expected that sending MTA's will cache these results. To discover if a recipient domain implements MTA-STS, a sender need only resolve a single TXT record. To see if an updated policy is available for a domain for which the sender has a previously cached policy, the sender need only check the TXT record's version "id" against the cached value.
The benefit of this standard:
- Hinders downgrade attacks
- Removes the risk of man-in-the-middle (MITM) attacks
- Requires all certificates to be properly chained to a valid CA
- Solves the issue of expired TLS certificates
- Works without DNSSEC
MTA-STS Policy Definition
Below lists the required fields for creating a MTA-STS policy. IMPORTANT: The filename for the text file must be mta-sts.txt. It's extremely important that you make sure you verify the content of your policy file. There are several free tools to check this like: https://easydmarc.com/tools/mta-sts-check?domain=talktalk.net
| Key | Value |
|---|---|
| version | Protocol version. Must be STSv1 This MUST be the first the first line of the policy file. All other keys can be in any order. |
| mode | Policy mode:
|
| mx | MX record for the domain.
|
| max_age | Maximum time in seconds the policy is valid. The max_age is reset for an external server every time the server checks the policy. So, external servers can have different expiration dates for the same policy. The value must be between 86400 (1 day) and 31557600 (about 1 year). For testing mode, we recommend between 604800 and 1209600 (1–2 weeks). |
Sample MA-STS Record and Policy File
$ dig TXT _mta-sts.google.com +short
"v=STSv1; id=20210803T010101;"
$ curl https://mta-sts.google.com/.well-known/mta-sts.txt
version: STSv1
mode: enforce
mx: smtp.google.com
mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
max_age: 86400
OX Roadmap
In Q1 2025 we plan to enable support for MTA-STS on our OX Cloud US platform.
Once support for MTA-STS is enabled on the MTA side, the endusers decide whether they want to leverage this functionality by creating the DNS entry and the policy file.
How to start using MTA-STS?
Step 1. Create the Policy in Testing Mode.
Step 2. Upload the TXT file to the webserver
Step 3. Publish the DNS Record
Step 4. Doublecheck the syntax of the Policy + do a mail roundtrip check - MTA-STS is now active for your domain
(Step 5. Setup TLS-RPT) Not currently available at OX
Step 6. Change the Mode to "Enforce"
Step 7. Update the Version ID in your DNS record.