- Add a TXT or CNAME type DNS record at _mta-sts.example.com which specifies support for MTA-STS for your domain.
- Set up an HTTPS-enabled web server with a valid certificate
Լight modeDark mode
The MTA-STS Policy File
The MTA-STS policy file is essentially a simple text file, which looks like the following:
version: STSv1
mode: enforce
mx: mx1.powerdmarc.com
mx: mx2.powerdmarc.com
mx: mx3.powerdmarc.com
max_age: 604800
Note: The version field must be included at the beginning of the text file while other fields can be incorporated in any order.
The policy file uses key-value pairing with each value encoded on a separate line in the text file as shown above. The size of this file can extend up to 64 KB. The name of the policy file must be mta-sts.txt. Policy files are required to be updated every time you add or alter mail servers in your domain.
Note: Setting MTA-STS in enforcement mode can cause some emails not to be delivered to you. Therefore it is advisable to set the policy mode to testing instead and opt for a low max_age to ensure that everything is working correctly before shifting to enforce the policy. We recommend setting up TLS-RPT for your policy in testing mode as well to get notified in case emails are sent in plaintext.
Publishing the MTA-STS Policy File
- Support HTTPS/SSL
- The server certificate must be signed and validated by a third-party root certificate authority.
In order to publish a policy file for your domain, you should set up a public web server with the subdomain “mta-sts” added to your domain.. The created policy file must be published in the .well-known directory created in the subdomain. The URL for your uploaded MTA-STS policy file might appear something like this:
https://mta-sts.powerdmarc.com/.well-known/mta-sts.txt
MTA-STS DNS Record
v=STSv1; id=30271001S00T000;
Note: The TXT record id value must be updated to a new value every time you make changes to the policy.
The MTA-STS DNS Record is used to:
- Specify support for MTA-STS for the domain
- Signal the MTA to re-fetch the policy over HTTPS in case the policy is altered
Note that with the MTA-STS TXT DNS record, the policy file can be stored by MTAs for a longer time period without having to re-fetch the policy unless it has been altered, while still performing a DNS query every time an email is received for the domain.
Configuring MTA-STS for Your Domain
In order to enable MTA-STS for your domain you would be required to:
Course content
Advanced Email Authentication Course
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DMARC Compliance? Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
Video - PowerDMARC Aggregate Reports Free2 m 13 s- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s