MTA-STS Email Security

MTA-STS Email Security

MTA-STS: How to Improve Your Email Security

To enable MTA-STS (Mail Transfer Agent Strict Transport Security) for your domain, "example.com," you need to follow several steps. MTA-STS is a security protocol that enhances email delivery by enforcing secure connections between mail servers. Here's a detailed step-by-step process to enable MTA-STS: NOTE:example.com must be replaced with your domain name.

Step 1: Before implementing MTA-STS, make sure you have the following prerequisites in place:

  • A domain name registered and managed by you or your organization (e.g., "example.com").
  • Administrative access to your domain's DNS records.
  • A valid SSL/TLS certificate for your domain.

Step 2: Generate a TLSRPT Record (SMTP TLS Reporting) is a DNS TXT record that specifies where the reports on your domain's MTA-STS enforcement should be sent. To generate a TLSRPT record:

  • Log in to your domain registrar or DNS provider's control panel.
  • Locate the DNS management section for your domain.
  • Add a new DNS TXT record with the following details:
  • Record Name: _smtp._tls.example.com
  • Record Value: "v=TLSRPTv1; rua=mailto:mta-sts@example.com" (Replace "mta-sts@example.com" with your actual domain email)
  • Save the record to publish it in the DNS zone.

Step 3: Configure MTA-STS Policy. Create an MTA-STS policy file to specify how email servers should handle secure connections.

  • Create a text file on your server or local machine using a text editor.
  • Add the following lines to the file:
  • version: STSv1
    mode: test
    mx: mail.example.com
    max_age: 86400
  • "mode: test" is used to test your configuration. Once the test is successful, change to "mode: enforce" to ensure that the policy is strictly enforced.
  • Replace "mail.example.com" with your actual mail server name.
  • "max_age" defines the time, in seconds, for which the policy is considered valid. Here, it's set to 24 hours (86400 seconds).
  • Save the file with a suitable name, such as "mta-sts.txt."

Step 4: Publish MTA-STS Policy to your domain's web server. Follow these steps:

  • Create a subdomain, e.g. mta-sts.example.com. Confirm there is a folder in the root of this subdomain called .well-known. Create if necessary.
  • Upload the "mta-sts.txt" file to this .well-known folder.
  • Make sure this subdomain is covered by your domain's ssl certificate.
  • Create a DNS A record with the name mta-sts and pointing to the ip address of your server.
  • Ensure it is accessible via a public URL, i.e., https://mta-sts.example.com/.well-known/mta-sts.txt, in a web browser.

Step 5: Add MTA-STS Record to DNS to link the MTA-STS policy file with your domain's DNS records. Here's how:

  • Log in to your domain registrar or DNS provider's control panel.
  • Locate the DNS management section for your domain.
  • Add a new DNS TXT record with the following details:
  • Record Name: _mta-sts
  • Record Value: v=STSv1; id=somerandomnumber (example using date and time: id=07102023017)
  • Save the record to publish it in the DNS zone.

Step 6: Verify MTA-STS Setup To ensure that your MTA-STS configuration is correct, use an MTA-STS testing tool or online service to verify your setup. Some popular tools include:

Step 7: Once you've successfully verified your MTA-STS configuration, edit your Policy and change mode: testing to mode: enforce. Then edit your _mta-sts DNS record and change the Id (e.g. change the time to create a new id).

Setp 8: Monitor MTA-STS Reports. After the MTA-STS policy is enabled and verified, email servers that receive messages for your domain will generate reports about the connections they establish. These reports will be sent to the email address specified in the TLSRPT record.

  • Check the mailbox specified in the TLSRPT record for incoming reports.
  • Analyze the reports to identify any issues or potential problems with secure connections.
  • Reports are delived in .gz format which you can uncompress with 7Zip and then read with any text editor.
  • There are paid services, see below, which will deliver your reports in a more human readable format.
    • dmarcly.com
    • powerdmarc.com
    • mailhardner.com
    • redsift.com

These are just a few of many providers of MTA-STS.

Topics

Liquid Web

Managed VPS Hosting

Liquid Web Storm VPS

SEMRUSH

semrush
Novashare Social Sharing PluginWordPress Social Sharing at the speed of light.
Perfmatters WordPress Peformance PluginThe Number 1 Web performance plugin for WordPress.
Fiverr Business
Fiverr Pro
CloudFlare Cloudflare Warp · Jump on the Internet fast lane by installing the WARP app. It's free and protects you from malware and Internet spies! #1dot1dot1dot1 1.1.1.1 — The free app that makes your Internet faster and safer. CloudFlare Warp+
AbuseIPDB Contributor Badge

Sponsored Links

This page contains affiliate links, which means that if you click on one of the product links and then purchase the product, I’ll receive a small fee. You’ll still pay the advertised amount so there’s no cost to you.

BlueskyThreadsLinkedInPinterest
BlueskyBuffer
Share to...
BlueskyThreadsLinkedInPinterestBufferMessengerSMSCopyPrint