Back to Course
Լight modeDark mode

How to create an MTA-STS Record?


A TXT DNS record for MTA-STS is published on the DNS of your domain to specify that your domain supports MTA-STS protocol and to signal for refreshing the cached values in the MTAs in case the policy is altered. The MTA-STS DNS record is placed at subdomain _mta-sts like in: The TXT record must commence with v=STSv1, and the “id” value can contain up to 32 alphanumeric characters, included in the following way: 

 v=STSv1; id=30271001S00T000;

NoteThe TXT record id value must be updated to a new value every time you make changes to the policy. 

The MTA-STS DNS Record is used to: 

  • Specify support for MTA-STS for the domain
  • Signal the MTA to re-fetch the policy over HTTPS in case the policy is altered

Note that with the MTA-STS TXT DNS record, the policy file can be stored by MTAs for a more extended time period without having to re-fetch the policy unless it has been altered, while still performing a DNS query every time an email is received for the domain. 

Configuring MTA-STS for Your Domain 

In order to enable MTA-STS for your domain you would be required to: 

  • Add a CNAME type DNS record at, directed towards the HTTPS-enabled web server that is hosting the MTA-STS policy file. 
  • Add a TXT or CNAME type DNS record at which specifies support for MTA-STS for your domain. 
  • Set up an HTTPS-enabled web server with a valid certificate for your domain. 
  • Enable SMTP TLS Reporting for your domain to detect email delivery issues due to TLS encryption failures. 

Challenges Faced While Manually Deploying MTA-STS 

MTA-STS requires an HTTPS-enabled web server with a valid certificate, DNS records, and constant maintenance, which makes the deployment process lengthy, time-consuming, and complicated. This is why hosted services are recommended to help you manage most things in the background by just publishing three CNAME records in your domain’s DNS. 

Course content
Email Authentication Fundamentals