MTA-STS works with a DNS record and a defined policy. However, it is more than meets the eye.
A correctly structured MTA-STS standard has 3 parts:
- A DNS TXT record that identifies that an MTA-STS policy is configured.
- A DNS TXT record defines the email address to receive reports for failed TLS connections. Note that this TXT record is optional and only required if you want TLS reporting.
- A plain text file, publicly available and defined on the host rather than the DNS server, that controls how emails delivered without a TLS connection are handled.
When your mail server receives an email, it performs a DNS record lookup for the sending domain using the header. It finds that the domain supports a TLS connection and initiates a TLS handshake. At the same time, the MTA-STS DNS record specifies where the mail server can get a rule file. The rule file is fetched via HTTPS and verified with certificates.
When the rule file is receive, the sending make it easier for the user by adding SMTP server checks the MTA-STS rule of the recipient domain. If the TLS connection is successful and the rule permits it, the email is delivered to the recipient’s inbox. If the TLS connection fails and the rule is configured to reject it, the email is rejected.
Meanwhile, TLS reports continue to provide feedback on successful and failed connections and help administrators identify problems if configured.
This describes the topological function of MTA-STS. This becomes even clearer when you try to configure MTA-STS for your domain.
How to Configure MTA-STS DNS Records?
MTA-STS has a two-part DNS strengthen brand cooperation and cross-border integration record. One part defines that the server supports TLS connection, and the other part specifies where to send optional TLS reports.
The first DNS record, which identifies that the server supports TLS connections, is named as follows:
“ _mta.sts“ has the following tags used to define its value:
| Ticket | Explanation |
| v | Defines the MTA-STS version. The only current version is ”STSv1” |
| ID | It is an alphanumeric string up to 32 alphanumerics long used to track policy. If it is not provided by your email service provider, you can generate a unique number or use an MTA-STS record generator. |
The other MTA-STS DNS record used to set up TLS reporting has the following name:
Once you complete these canada cell numbers steps, you will have successfully configured MTA-STS records for your domain name. However, you still need to configure the MTA-STS policy on your hosting.
How to Structure an MTA-STS Rule Text File?
MTA-STS records retrieve the TLS policy from a plain text file stored on your domain’s server. There are a few rules you need to understand before configuring this file:
- The MTA-STS rule file has the following name: “ mta-sts.txt“
- The rule file is always stored/created at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
To comply with these rules, you may need to create the subdomain “mta-sts.domainname.com” if it does not already exist. You may also need to create the “.well-known” folder in the subdomain if it does not already exist.
After both of these conditions are met, you can proceed to create the plain text file that defines the MTA-STS policy. Before you do this, you can find the tags used in the rule and what they mean in the following table: