DDMARC

Documentation

Learn how to integrate and use DDMARC

Docs/Setup Guides/MTA-STS
15 minutesAdvanced

MTA-STS Setup Guide

Configure MTA-STS to enforce TLS encryption for incoming email and prevent downgrade attacks.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) allows domain owners to declare that their mail servers support TLS and that sending servers should refuse to deliver mail if a secure connection cannot be established. This prevents man-in-the-middle attacks and TLS downgrade attacks.

How MTA-STS Works

Step 1

DNS Record

Publish _mta-sts TXT record

Step 2

Policy File

Host policy at .well-known URL

Step 3

Sender Checks

Sending server fetches policy

Step 4

TLS Enforced

Connection requires valid TLS

Requirements

Before setting up MTA-STS, ensure your mail servers meet these requirements:

Valid TLS Certificate

Your MX servers must have valid certificates from a trusted CA (not self-signed)

Certificate Chain

The full certificate chain must be properly configured

Matching Hostnames

Certificates must match the MX hostnames exactly

TLS 1.2 or Higher

Mail servers should support modern TLS versions

Step 1: Add DNS Record

Add a TXT record at _mta-sts.yourdomain.com to signal that MTA-STS is enabled:

DNS TXT Record
Host: _mta-sts
Type: TXT
Value: v=STSv1; id=20240115120000

About the ID field

The id field is used to indicate policy changes. When you update your policy, change the ID (we recommend using a timestamp like YYYYMMDDHHMMSS). Sending servers will re-fetch the policy when they see a new ID.

Step 2: Host Policy File

Create a policy file and host it at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Example Policy File
version: STSv1 mode: enforce mx: mx1.example.com mx: mx2.example.com max_age: 604800
FieldRequiredDescriptionExample
versionRequiredPolicy version (always STSv1)STSv1
modeRequiredPolicy mode (testing, enforce, none)enforce
mxRequiredMail server hostnames (can repeat)mx1.example.com
max_ageRequiredPolicy cache time in seconds604800
mode: testingTesting Mode

Senders will report failures via TLS-RPT but will still deliver email without TLS if needed. Use this first.

mode: enforceEnforce Mode

Senders must use TLS. If TLS fails, email will not be delivered. Only enable after thorough testing.

mode: noneNone Mode

Disables MTA-STS. Use this to gracefully disable the policy.

Free Feature

Free MTA-STS Hosting

DDMARC provides free MTA-STS policy hosting for all users. We handle the HTTPS hosting and certificate management for you. Simply add a CNAME record and we will host your policy.

Add this CNAME record:
mta-sts.yourdomain.com mta-sts.ddmarc.com

Step 3: Enable TLS-RPT (Recommended)

TLS-RPT (TLS Reporting) allows you to receive reports about TLS connection failures. Add a TXT record at _smtp._tls.yourdomain.com:

TLS-RPT DNS Record
Host: _smtp._tls
Type: TXT
Value: v=TLSRPTv1; rua=mailto:tlsrpt@rua.ddmarc.com

DDMARC automatically processes TLS-RPT reports and displays them in your dashboard, helping you identify TLS connection issues before moving to enforce mode.

Recommended Deployment

Follow this deployment path to avoid email delivery issues:

  1. 1Enable TLS-RPT first and monitor for a week
  2. 2Deploy MTA-STS with mode: testing
  3. 3Review TLS-RPT reports for any connection failures
  4. 4Fix any certificate or TLS configuration issues
  5. 5Switch to mode: enforce when ready

Next Steps

Set Up BIMI

Display your brand logo in email clients

Reading Reports

Learn to interpret DMARC and TLS reports