How to Create an MTA-STS Policy - Patrick Lewis Notes

**MTA-STS (Mail Transfer Agent Strict Transport Security)** is an email security standard that allows domain owners to enforce encryption (TLS) for incoming SMTP connections. It helps prevent downgrade and Man-in-the-Middle attacks on email delivery. This article explains how to create and deploy an MTA-STS policy and how to generate the required version number (`id`). --- ## 🔐 Prerequisites - A domain name you control (e.g., `example.com`) - Ability to create: - DNS TXT records - HTTPS-accessible static files (via web server, CDN, or object storage) --- ## 📄 Step 1: Create the MTA-STS Policy File Create a plain text file named: ``` /.mta-sts.example.com/.well-known/mta-sts.txt ``` > Replace `example.com` with your actual domain name. ### ✅ Sample Policy File ```text version: STSv1 mode: enforce mx: mail.example.com max_age: 604800 id: 20250701T150000Z ``` ### 🔍 Policy Fields Explained | Field | Description | |------------|-----------------------------------------------------------------------------| | `version` | Must always be `STSv1` | | `mode` | `enforce`, `testing`, or `none` | | `mx` | List of valid MX hostnames for your domain | | `max_age` | Cache time in seconds (e.g., 604800 = 7 days) | | `id` | Unique version ID for the policy; must be updated when policy changes | --- ## 🔢 Step 2: Generate the MTA-STS Policy Version Number (`id`) The `id` should be a unique string that changes **whenever the policy changes**. The recommended format is an **ISO 8601 UTC timestamp**: ``` YYYYMMDDTHHMMSSZ ``` ### 📅 Example ```text id: 20250701T150000Z ``` ### 💻 Generate via Command Line (Linux/macOS) ```bash date -u +"%Y%m%dT%H%M%SZ" ``` Sample output: ```text 20250701T220730Z ``` Use this value as your `id`. --- ## 🌐 Step 3: Host the Policy via HTTPS - Create a subdomain: `mta-sts.example.com` - Host the file at: ``` https://mta-sts.example.com/.well-known/mta-sts.txt ``` - Ensure: - HTTPS is properly configured - TLS certificate is valid - The policy file is accessible and served with `Content-Type: text/plain` --- ## 🧾 Step 4: Add the DNS TXT Record Create the following DNS TXT record: | Name | Type | Value | |------------------------|------|--------------------------------------------| | `_mta-sts.example.com` | TXT | `v=STSv1; id=20250701T150000Z` | > The `id` here **must match** the one in the policy file. --- ## ✅ Example: Complete Setup for `example.com` **1. HTTPS Policy File** - URL: `https://mta-sts.example.com/.well-known/mta-sts.txt` - Contents: ```text version: STSv1 mode: enforce mx: mail.example.com max_age: 604800 id: 20250701T150000Z ``` **2. DNS TXT Record** - Name: `_mta-sts.example.com` - Value: `v=STSv1; id=20250701T150000Z` --- ## 🧪 Step 5: Validate Your Configuration Use tools like: - [Google MTA-STS Validator](https://toolbox.googleapps.com/apps/mta-sts/) - [Hardenize](https://www.hardenize.com/) - [SSLMate MTA-STS Scanner](https://mta-sts.sslmate.com/) --- ## 📌 Tips - Use `mode: testing` before switching to `enforce` - Always update the `id` field when: - Changing `mx` entries - Changing `mode` - Updating `max_age` --- ## 📚 References - [RFC 8461 - SMTP MTA Strict Transport Security (MTA-STS)](https://datatracker.ietf.org/doc/html/rfc8461) - [Google MTA-STS Deployment Guide](https://support.google.com/a/answer/9268036?hl=en) ---