How to Configure MTA-STS for Your Domain

MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption for email delivered to your domain. Without it, mail servers delivering email to you are not required to use TLS — making interception possible. Here's how to set it up.

What this finding means

When another mail server delivers email to your domain, it can choose whether to use TLS (encrypted transport) or not. Without MTA-STS, there's nothing to enforce encryption — an attacker in a position to intercept SMTP traffic could read or tamper with inbound emails.

MTA-STS publishes a policy (via a combination of a DNS record and a web-hosted file) that instructs sending mail servers to always use TLS and to verify your mail server's certificate.

Why it matters

• Prevents inbound email interception via SMTP downgrade attacks
• Complements DMARC/SPF/DKIM — which protect outbound authentication, not inbound transport
• Is increasingly expected as part of a complete email security posture
• Is checked by domain security tools and GDPR Article 32 audits

How to configure MTA-STS — step by step

MTA-STS requires two things: a policy file hosted on your web server, and a DNS TXT record.

Step 1: Create the MTA-STS policy file

Create a file with the following content. Replace the mx: value with your actual MX hostname(s):

version: STSv1
mode: enforce
mx: mail.protection.outlook.com
max_age: 86400

If you have multiple MX records, add one mx: line per host:

version: STSv1
mode: enforce
mx: mail.protection.outlook.com
mx: mail2.yourdomain.com
max_age: 86400

• enforce — mail servers must use TLS or the email is rejected
• testing — violations are reported but email is delivered (use this first if unsure)
• none — policy disabled

Step 2: Host the policy file

The file must be accessible at:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

This requires a subdomain mta-sts.yourdomain.com pointing to a web server that serves this file over HTTPS with a valid TLS certificate.

Step 3: Publish the DNS TXT record

Add a TXT record at _mta-sts.yourdomain.com:

v=STSv1; id=20260401000000

The id= value is a policy version identifier — it must change any time you update your policy file. Use a timestamp in YYYYMMDDHHMMSS format.

Step 4: Optionally add TLSRPT

Add a TXT record at _smtp._tls.yourdomain.com to receive reports of MTA-STS violations:

v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com

Verify it worked

Scan your domain at mydomainrisk.com — the MTA-STS finding will show as resolved once your DNS record and policy file are detected. MTA-STS also earns a TLSRPT bonus point on your security score when configured alongside a _smtp._tls reporting record.