How to Fix "MTA-STS Policy is Missing" ?
In order to enable MTA-STS for your domain as the email receiver, you need to host an MTA-STS policy file in your DNS. This allows external email senders to send emails to your domain that are authenticated and TLS encrypted with an updated version of TLS (1.2 or higher).
Not having a published or updated policy file for your domain can be the primary reason for coming across error messages like “MTA-STS policy is missing: STSFetchResult.NONE”, implying that the sender’s server couldn’t fetch the MTA-STS policy file when it queried the receiver’s DNS, finding it to be missing.
Prerequisites for MTA-STS:
Email servers for which MTA-STS will be enabled should be using a TLS version of 1.2 or more, and should have TLS certificates in place that adhere to current RFC standards and specifications, are not expired, and server certificates that are signed by a trusted root certificate authority.
Steps to Fix “MTA-STS Policy is Missing”
1. Creating and publishing an MTA-STS DNS TXT record
The first step is to create an MTA-STS record for your domain. You can create a record instantly using an MTA-STS record generator, providing you with a custom-tailored DNS record for your domain.
2. Defining an MTA-STS policy mode
MTA-STS offers two policy modes for users to work with.
- Testing mode: This mode is ideal for beginners who have not configured the protocol before. The MTA-STS testing mode allows you to receive SMTP TLS reports on problems in MTA-STS policies, issues in establishing encrypted SMTP connections, or failure in email delivery. This helps you respond to existing security issues pertaining to your domains and servers without enforcing TLS encryption.
- Enforce mode: While you still receive your TLS reports, in course of time it is optimal for users to enforce their MTA-STS policy to make encryption mandatory while receiving emails using SMTP. This prevents messages from being changed or tampered with while in transit.
3. Creating the MTA-STS policy file
The next step is to host MTA-STS policy files for your domains. Note that while the contents of every file can be the same, it is mandatory to host policies separately for separate domains, and a single domain can have only a single MTA-STS policy file. Multiple MTA-STS policy files hosted for a single domain can lead to protocol misconfigurations.
The standard format for an MTA-STS policy file is given below:
File name: mta-sts.txt
Maximum file size: 64 KB
version: STSv1
mode: testing
mx: mail.yourdomain.com
mx: *.yourdomain.com
max_age: 806400
Note: The policy file displayed above is simply an example.
4. Publishing Your MTA-STS policy file
Next, you have to publish your MTA-STS policy file on a public web server that is accessible to external servers. Make sure the server you host your file on supports HTTPS or SSL. The procedure for this is simple. Assuming that your domain is pre-configured with a public web server:
- Add a subdomain to your existing domain that should begin with the text: mta-sts (e.g. mta-sts.domain.com)
- Your policy file will point to this subdomain that you created and has to be stored in a .well-known directory
- The URL for the policy file is added to the DNS entry while publishing your MTA-STS DNS record so that the server can query the DNS to fetch the policy file during email transfer
5. Activate MTA-STS and TLS-RPT
Finally, you need to publish your MTA-STS and TLS-RPT DNS records in your domain’s DNS, using TXT as the resource type, placed on two separate subdomains (_smtp._tls and _mta-sts). This will allow only TLS-encrypted messages to reach your inbox, that are verified and untampered. Furthermore, you will receive daily reports on delivery and encryption issues on an email address or web server configured by you, from external servers.
You can verify the validity of your DNS records by performing an MTA-STS record lookup after your record is published and live.
Note: On every occasion that you make alterations to the contents of your MTA-STS policy files, you must update it both on the public web server you are hosting your file on, as well as the DNS entry that contains your policy URL. The same holds true every time you update or add to your domains or servers.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DMARC Compliance? Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
Video - PowerDMARC Aggregate Reports Free2 m 13 s- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s