How to create an MTA-STS Record?

MTA-STS DNS Record

A TXT DNS record for MTA-STS is published on the DNS of your domain to specify that your domain supports MTA-STS protocol and to signal for refreshing the cached values in the MTAs in case the policy is altered. The MTA-STS DNS record is placed at subdomain _mta-sts like in: _mta-sts.powerdmarc.com. The TXT record must commence with v=STSv1, and the “id” value can contain up to 32 alphanumeric characters, included in the following way: 

 v=STSv1; id=30271001S00T000;

Note: The TXT record id value must be updated to a new value every time you make changes to the policy. 

The MTA-STS DNS Record is used to: 
 

• Specify support for MTA-STS for the domain
• Signal the MTA to re-fetch the policy over HTTPS in case the policy is altered

Note that with the MTA-STS TXT DNS record, the policy file can be stored by MTAs for a more extended time period without having to re-fetch the policy unless it has been altered, while still performing a DNS query every time an email is received for the domain. 

Configuring MTA-STS for Your Domain 

In order to enable MTA-STS for your domain you would be required to: 
 

• Add a CNAME type DNS record at mta-sts.example.com, directed towards the HTTPS-enabled web server that is hosting the MTA-STS policy file. 
• Add a TXT or CNAME type DNS record at _mta-sts.example.com which specifies support for MTA-STS for your domain. 
• Set up an HTTPS-enabled web server with a valid certificate for your domain. 
• Enable SMTP TLS Reporting for your domain to detect email delivery issues due to TLS encryption failures. 

Challenges Faced While Manually Deploying MTA-STS 

MTA-STS requires an HTTPS-enabled web server with a valid certificate, DNS records, and constant maintenance, which makes the deployment process lengthy, time-consuming, and complicated. This is why hosted services are recommended to help you manage most things in the background by just publishing three CNAME records in your domain’s DNS.