MTA-STS — SMTP MTA Strict Transport Security

RFC: 8461 (Sept 2018) Layer: Transport security Companion: TLS-RPT (RFC 8460) Adoption: <1% Top 1M domains (2026) Last updated: May 2026 Reading time: 14 min
Definition

SMTP MTA Strict Transport Security — a policy mechanism by which a recipient domain declares that mail sent to its servers must use authenticated TLS. Sending MTAs that support MTA-STS fetch the policy and enforce TLS encryption with valid certificate verification when delivering mail. The mechanism uses two coordinated components: a DNS TXT record at _mta-sts.example.com signaling policy presence, and a policy file served over HTTPS at mta-sts.example.com/.well-known/mta-sts.txt that declares authorized MX hosts, mode, and cache duration. MTA-STS protects against the downgrade attacks and DNS-based MX redirection that opportunistic STARTTLS cannot.

The problem MTA-STS solves

SMTP was originally specified in 1982 with no encryption. TLS was added later via the STARTTLS extension (RFC 3207, 2002), but with a fundamental limitation: STARTTLS is opportunistic. The sending and receiving servers negotiate whether to use TLS during the SMTP handshake, and if either side claims TLS is unavailable, the message flows in plaintext. Two attack vectors exploit this:

  • STARTTLS stripping (downgrade attack). An attacker positioned in the network path between sender and receiver intercepts the receiver's response to the sender's EHLO and removes the 250-STARTTLS line. The sender now believes the receiver doesn't support TLS and sends in plaintext. The attacker captures or modifies the message in transit. Both endpoints have no signal that TLS was even possible.
  • MX redirection via DNS spoofing. An attacker manipulates the DNS response for the sender's MX lookup, replacing the legitimate MX target with an attacker-controlled mail server. The attacker presents a valid TLS certificate for their own domain, the sending server happily encrypts, the attacker copies/modifies the message, and forwards it to the real MX. STARTTLS doesn't catch this because the attacker's TLS connection is itself valid.

MTA-STS addresses both. By publishing an out-of-band policy fetched over HTTPS, the recipient domain tells the world: "Mail to me must use TLS, with a valid certificate matching one of these MX hostnames." A sending MTA that supports MTA-STS will refuse to deliver in plaintext when the policy mode is enforce — even if STARTTLS appears stripped, even if the MX response was spoofed, the cached policy provides the authoritative list of expected MX targets and the requirement to verify TLS certificates against them.

How MTA-STS works — the dual DNS+HTTPS architecture

MTA-STS is unusual among email authentication standards because it requires two coordinated components: a DNS TXT record signaling policy presence, and an HTTPS-served policy file that contains the actual rules. Both must be operational; either one missing or broken means the policy is effectively absent from the perspective of sending MTAs.

Step 1 — Sending MTA discovery
DNS lookup _mta-sts.example.com TXT If id changed since last fetch Re-fetch HTTPS policy
Step 2 — Policy fetch
HTTPS GET mta-sts.example.com/.well-known/mta-sts.txt Verify TLS certificate Cache for max_age
Step 3 — Delivery enforcement
MX lookup → connect Verify TLS cert matches policy mx: If pass: deliver If fail + enforce: REJECT

The two components serve different roles. The DNS TXT record is small, fast to fetch, and contains a version id that changes whenever the policy changes. The HTTPS policy file is the authoritative document containing the actual list of MX hosts, mode, and cache duration. Sending MTAs that have already fetched a policy don't re-fetch the HTTPS file on every message — they only re-fetch when the DNS TXT record's id value differs from what they last saw, or when their cache has expired (after max_age seconds).

The DNS TXT record

# DNS TXT record at _mta-sts.example.com _mta-sts.example.com. IN TXT "v=STSv1; id=20260506T120000" # Manual lookup from command line $ dig +short TXT _mta-sts.example.com "v=STSv1; id=20260506T120000" # The id value is a free-form string up to 32 chars. # It changes whenever the HTTPS policy changes (timestamp is a common pattern). # Sending MTAs use the id to detect policy changes and re-fetch the HTTPS file.

The HTTPS policy file

# Served at https://mta-sts.example.com/.well-known/mta-sts.txt # Required HTTP response: 200 OK (no redirects) # Required Content-Type: text/plain # Required: valid TLS certificate matching mta-sts.example.com version: STSv1 mode: enforce mx: mx1.example.com mx: mx2.example.com mx: *.mail.protection.outlook.com # wildcards: leftmost label only max_age: 604800 # 7 days, recommended ≥86400 (1 day) # Verify with curl: $ curl https://mta-sts.example.com/.well-known/mta-sts.txt # The policy host (mta-sts.example.com) must: # 1. Have an A or AAAA record (most common deployment failure: missing this) # 2. Serve HTTPS with a valid certificate # 3. Return HTTP 200 (no 3xx redirects allowed by RFC 8461) # 4. Serve the policy at /.well-known/mta-sts.txt

The three modes — none, testing, enforce

MTA-STS defines three policy modes, each with different operational semantics. The standard rollout sequence is testing → enforce, with none reserved as the explicit way to retire a previously-published policy. Skipping testing mode is the most common cause of post-deployment delivery loss.

none mode: none

Explicitly declares no MTA-STS policy. Used to remove a previously-published policy without abruptly leaving cached policies in place. Sending MTAs that re-fetch see mode: none and treat the domain as having no policy — they don't enforce TLS based on cached older policies.

Delivery behavior: Identical to a domain without MTA-STS at all. STARTTLS opportunistic, no enforcement.

testing mode: testing

The required first step in any MTA-STS deployment. Sending MTAs perform full TLS verification (certificate, hostname, MX policy match) but deliver the message regardless of result. Failures are reported via TLS-RPT for monitoring. Allows a 2-4 week observation period to identify legitimate senders that would fail enforce mode.

Delivery behavior: Always delivers. TLS failures are reported via TLS-RPT but don't block delivery.

enforce mode: enforce

The production enforcement mode. Sending MTAs reject delivery (treat as transient failure, retry later) when TLS verification fails: no STARTTLS offered, certificate invalid, hostname mismatch, MX not in policy. Failures still appear in TLS-RPT. Skipping testing mode causes legitimate mail loss.

Delivery behavior: Mail rejected if TLS fails. Sending MTAs retry per RFC 8461 §5 — eventually bounces if policy not satisfied.
The "skip testing mode" failure pattern. A team enables MTA-STS in enforce mode on day one, expecting it to work like enabling SPF or DKIM. Within hours, they're seeing delivery delays from senders that have certificate or MX configuration mismatches the team didn't know about — and only TLS-RPT reports show what's happening, but TLS-RPT also wasn't deployed. Production rollout always starts with mode: testing + TLS-RPT, runs for at least 2-4 weeks, and only advances to enforce after the failure rate hits zero or near-zero.

Adoption in 2026 — the data

Despite being defined in 2018 and supported by Gmail, Microsoft, and Yahoo for outbound mail, MTA-STS adoption remains in single digits across the broader internet. The growth curve is upward but slow. Public-sector mandates (UK NCSC, US CISA) have pushed government domains well above the average, while regulated industries like banking lag despite the obvious need.

<1%
Top 1M domains publishing MTA-STS
(URIports, January 2026)
2×
Adoption growth in 2 years
(2024 → 2026)
~80%
Of published policies are syntactically valid
(4 of 5)
39.9%
UK government domains
(NCSC mandate-driven)
4.8%
UK banking sector
(95.2% gap despite SWIFT exposure)
34%
Of broken deployments are missing
A/AAAA at policy host

The interpretation: organizations that adopt MTA-STS mostly get it right (high deployment-correctness rate), but most organizations don't adopt it at all. The barrier isn't technical complexity — it's that the protection MTA-STS offers is invisible to most operators until they investigate transport-layer attacks specifically. SPF/DKIM/DMARC have visible payoff (DMARC reports, deliverability impact). MTA-STS protects against attacks most teams have never seen evidence of, even though those attacks are happening.

MTA-STS vs DANE — when to use which

DANE (DNS-based Authentication of Named Entities, RFC 7672) is the alternative transport-security mechanism, predating MTA-STS but adopted less widely because of its DNSSEC dependency. The two are not mutually exclusive — domains with DNSSEC can publish both. The choice is determined primarily by whether you have DNSSEC.

DimensionMTA-STS (RFC 8461)DANE/TLSA (RFC 7672)
Trust mechanism HTTPS policy fetch + Web PKI certificate validation TLSA records signed by DNSSEC; binds cert directly to DNS
DNSSEC required? No Yes (mandatory)
Trust-on-first-use weakness Yes — first fetch can be spoofed No — DNSSEC authenticates from start
Self-signed certs allowed No — must validate against PKIX trust chain Yes — TLSA can bind any cert
Built-in testing mode Yes — mode: testing No — DANE is binary on/off
Caching architecture Sender caches HTTPS policy for max_age No caching — every delivery checks DNSSEC TLSA
Policy update visibility DNS TXT id changes signal re-fetch needed TLSA records are authoritative; resolvers respect TTL
Adoption among major receivers Gmail, Microsoft, Yahoo all support outbound Mainly EU ecosystem; Postfix-heavy environments
Practical deployment barrier Need HTTPS policy host + valid cert Need DNSSEC-signed zone (high barrier)
The pragmatic recommendation. If you don't have DNSSEC: deploy MTA-STS only. The protocol is supported by all major consumer providers and gives you 90% of DANE's protection without the DNSSEC overhead. If you have DNSSEC: deploy both. DANE eliminates the trust-on-first-use weakness for the (mostly Postfix-based, EU-centric) MTAs that support it; MTA-STS covers the mass of consumer mail providers that don't implement DANE. The two protocols are designed to coexist — implement DANE TLSA records for your MX hosts and publish an MTA-STS policy at the same time.

Safe deployment — the testing → enforce migration

The standard rollout sequence is non-negotiable: any domain that goes straight to enforce mode is risking delivery loss. The sequence below is the production-grade pattern based on RFC 8461 guidance and operational experience from large mail operators.

1
T-7 days — preparation

Inventory MX hosts and verify TLS certs

Document every MX host listed in your DNS. Verify each has a valid TLS certificate (TLS 1.2+, valid hostname match, valid chain). Use openssl s_client -connect mx1.example.com:25 -starttls smtp to inspect certs hop by hop. Identify any MX hosts with self-signed certificates, expired certs, or hostname mismatches — these will fail under enforce.

2
T-3 days — HTTPS infrastructure

Set up the policy host

Create A/AAAA record at mta-sts.example.com pointing to a webserver (or use a hosted MTA-STS provider — covered below). Provision a TLS certificate for that hostname. Place the policy file at /.well-known/mta-sts.txt. Verify with curl -I https://mta-sts.example.com/.well-known/mta-sts.txt — must return 200 OK, no redirects.

3
T+0 — testing mode goes live

Publish policy with mode: testing + TLS-RPT

Policy file declares mode: testing. Simultaneously publish TLS-RPT TXT record at _smtp._tls.example.com pointing to your reporting endpoint. Publish DNS TXT at _mta-sts.example.com with v=STSv1; id=<timestamp>. From this moment, sending MTAs that support MTA-STS begin observing your policy and reporting via TLS-RPT.

4
T+1 to T+28 days — observation

Monitor TLS-RPT for 2-4 weeks

Daily TLS-RPT reports arrive in JSON. Aggregate by failure type: certificate-expired, tls-required-but-not-supported, policy-mismatch, certificate-name-mismatch. The expected end state is zero or near-zero failures from legitimate senders. Investigate any persistent failure — usually traces to a specific MX host with bad cert configuration, or a wildcard pattern in the policy that doesn't match actual MX hostnames.

5
T+28 days — fix issues

Resolve every TLS-RPT failure category

Common fixes at this stage: replace expired/mismatched certificates, update policy mx: lines to include all real MX hostnames, switch from CNAME to direct A/AAAA on MX records (Microsoft compatibility), increase max_age from initial conservative value to 604800 (7 days). Each fix triggers an id bump on the TXT record and a re-fetch by senders.

6
T+30 to T+45 days — switch to enforce

Update policy to mode: enforce

Update the HTTPS policy file first (change mode: testing to mode: enforce). Wait for HTTPS cache to clear (5 minutes typical). Then update the DNS TXT id value to signal re-fetch. Senders pick up the new policy within their existing cache TTL or sooner if the id change triggers immediate re-fetch.

7
T+45+ — ongoing operations

Continuous monitoring and quarterly audit

TLS-RPT continues to report. Set up alerting on any non-zero failure rate. Audit quarterly that the policy mx: lines still match actual MX hostnames after any infrastructure changes. Renew certificates ahead of expiration with at least 30 days buffer — expired cert on a single MX host fails MTA-STS for all mail to that host.

Hosted MTA-STS vs self-hosted policy

The HTTPS policy host is the operationally annoying piece of MTA-STS deployment. It needs a webserver, a TLS certificate, monitoring, and ongoing maintenance — all to serve a small static text file that rarely changes. Two deployment patterns exist:

PatternSetupOperational burdenTrade-off
Self-hosted Your own webserver at mta-sts.example.com with valid TLS cert and policy file Webserver maintenance, cert renewal, uptime monitoring Full control. Required if compliance forbids third-party hosting of policy data.
Cloudflare Workers / Lambda Serverless function returning the policy file. Worker route or Lambda + API Gateway. Function deployment + cert via the platform Effectively free at MTA-STS volumes (typically <100K requests/day). Common pattern.
Hosted MTA-STS providers Third-party (URIports, MxToolbox, CaptainDNS, PowerDMARC) hosts the policy file. You add CNAME at mta-sts.example.com pointing to their service. Zero — provider handles cert, uptime, distribution Free tiers exist for most providers. Single point of failure outside your control.
CDN with origin Cloudflare, Fastly, or other CDN fronting your policy file CDN config, but no origin webserver needed if file is in object storage Mid-complexity; useful if you already use the CDN for other services.
The Cloudflare Workers pattern. The most common deployment pattern in 2026 for organizations without a hosted provider: a 20-line Cloudflare Worker serving a static policy file. Free tier handles 100,000 requests/day — far more than any organization's MTA-STS query volume (typical: a few hundred to a few thousand requests per day, since policies are cached for 7 days). Sample Worker: addEventListener('fetch', e => e.respondWith(new Response('version: STSv1\nmode: enforce\nmx: mx1.example.com\nmax_age: 604800\n', {headers: {'content-type': 'text/plain'}}))). Configure a worker route for mta-sts.example.com/.well-known/mta-sts.txt and Cloudflare's automatic TLS handles the cert.

Common deployment failures

The 2026 URIports survey of the Top 1M domains found that ~20% of published MTA-STS deployments have at least one operational issue. The seven most common failure modes, ordered by frequency in the survey:

Missing A/AAAA at policy host

34% of broken deployments
curl: Could not resolve host: mta-sts.example.com

Team published the DNS TXT record at _mta-sts and the policy file, but forgot to add A/AAAA records for the mta-sts.example.com hostname. Sending MTAs can't reach the policy host. Fix: add A or AAAA records pointing to your webserver/Worker/CDN endpoint.

Invalid or expired TLS certificate

~15% of broken deployments
tls: certificate has expired or is not yet valid

Policy host serves HTTPS but with an expired, self-signed, or wrong-hostname cert. RFC 8461 requires PKIX-validated cert matching mta-sts.example.com. Fix: use Let's Encrypt or hosted provider; auto-renew with at least 30-day buffer.

HTTP 3xx redirects from policy URL

~10% of broken deployments
RFC 8461 §3.3: HTTP 3xx redirects MUST NOT be followed

Policy URL returns 301 or 302 redirect (e.g., HTTP-to-HTTPS redirect, or canonical hostname redirect). MTA-STS forbids following redirects. Fix: serve the policy directly at the canonical URL with 200 OK, no redirects.

Policy/MX mismatch

~8% of broken deployments
policy-mismatch (mx not in policy)

Real MX records list hostnames not in the policy mx: lines. Common after MX changes that didn't trigger policy update. Fix: audit policy after every MX change. Use wildcards (*.mail.example.com) carefully — they match only the leftmost label.

Microsoft CNAME-on-MX failure

~5% of broken deployments
Microsoft Exchange Online: MTA-STS verification failed

Microsoft Exchange Online doesn't resolve CNAMEs on MX records when MTA-STS is active — non-RFC-compliant but documented behavior. If your domain uses CNAME to alias MX, Microsoft delivery fails. Fix: list the resolved CNAME target in the policy mx: lines, or remove the CNAME and use direct A/AAAA on the MX hostname.

Wrong Content-Type header

~4% of broken deployments
Some senders refuse to parse non-text/plain

Policy file served with application/octet-stream or HTML content-type. RFC 8461 specifies text/plain (charset utf-8 recommended). Fix: webserver MIME type config; for serverless functions, set the response header explicitly.

Stale policy after id update

~3% of broken deployments
Senders still using outdated policy after change

HTTPS policy was updated but DNS TXT id wasn't bumped. Sending MTAs check the TXT record's id; if unchanged, they keep using cached HTTPS policy until max_age expires. Fix: always update id after HTTPS policy change. Use timestamp-based id values for easy correlation.

Mismatched version directive

~2% of broken deployments
Policy parse error

Policy file uses version: 1 instead of version: STSv1, or DNS TXT uses v=1 instead of v=STSv1. RFC 8461 requires the explicit "STSv1" string. Fix: validate with a syntax checker before deploying. Both DNS TXT and HTTPS policy must use STSv1.

MTA-STS in Cloud Server for Email's managed infrastructure

For clients on managed PowerMTA + MailWizz infrastructure, MTA-STS is configured during the day 1-3 onboarding sequence as part of the broader transport-security setup (alongside TLS-RPT and DANE for DNSSEC-enabled clients). The patterns we use across most accounts:

  • Hosted policy via the dedicated subdomain pattern. Each client sending domain gets mta-sts.<client-subdomain> served from our managed HTTPS infrastructure. This avoids requiring the client to set up their own webserver for what is essentially a static file. The client publishes a CNAME at mta-sts.example.com pointing to our endpoint, and we handle TLS, uptime, and policy updates.
  • Default rollout: testing → enforce in 30 days. All new client domains start in testing mode at day 14 (after the rest of the authentication stack is verified working), with TLS-RPT collection going to our reporting endpoint. We aggregate failures, identify any MX hosts with cert issues, fix them coordinated with the client, and advance to enforce at day 30-45.
  • max_age: 604800 (7 days) as the default, balancing cache effectiveness against rapid policy update propagation. Some compliance-sensitive clients prefer 86400 (1 day) for faster policy changes; we configure per-client based on requirements.
  • Microsoft CNAME-on-MX awareness. Our managed infrastructure uses direct A/AAAA records on MX hostnames (no CNAMEs), so Microsoft Exchange Online's stricter interpretation isn't an issue for our outbound delivery. For clients running mixed inbound infrastructure (e.g., corporate mail at Microsoft 365, marketing at our infrastructure), we coordinate the policy mx: lines to cover both reachability paths.
  • Coordinated DANE deployment for DNSSEC clients. Clients with DNSSEC-signed zones get DANE TLSA records published alongside MTA-STS, providing the strongest possible transport-security posture. Both protocols coexist correctly when configured by the same team.
  • TLS-RPT monitoring with weekly review. Failures aggregated across all client domains are reviewed weekly. Most reports show zero or single-digit failures per domain per week. Any sustained failure pattern triggers investigation — usually traces to a specific receiver's intermediate gateway with deprecated TLS configuration.

Auditing your MTA-STS — practical workflow

# 1. Verify the DNS TXT record exists and is well-formed $ dig +short TXT _mta-sts.example.com "v=STSv1; id=20260506T120000" # 2. Verify the policy host resolves and serves HTTPS correctly $ dig +short A mta-sts.example.com 203.0.113.42 $ curl -I https://mta-sts.example.com/.well-known/mta-sts.txt HTTP/2 200 content-type: text/plain # Must be 200, must have content-type text/plain, must not redirect # 3. Inspect the actual policy content $ curl https://mta-sts.example.com/.well-known/mta-sts.txt version: STSv1 mode: enforce mx: mx1.example.com mx: mx2.example.com max_age: 604800 # 4. Verify the policy mx: lines match your real MX records $ dig +short MX example.com 10 mx1.example.com. 20 mx2.example.com. # Each MX hostname (or wildcard match) must be in the policy # 5. Use online validators for full RFC 8461 compliance # - URIports MTA-STS Lookup # - MxToolbox MTA-STS validator # - CaptainDNS MTA-STS syntax checker # - mxtoolbox.com/SuperTool.aspx?action=mta-sts # 6. Verify TLS-RPT is also in place $ dig +short TXT _smtp._tls.example.com "v=TLSRPTv1; rua=mailto:tls-reports@example.com"
  • TLS-RPT — SMTP TLS Reporting (RFC 8460); the companion reporting protocol that tells you which sending MTAs successfully or unsuccessfully delivered under your MTA-STS policy. Mandatory for safe MTA-STS rollout.
  • DANE/TLSA — DNS-based Authentication of Named Entities (RFC 7672); the alternative transport-security mechanism using DNSSEC. Stronger guarantees, higher deployment barrier. (Coming soon)
  • STARTTLS — the SMTP TLS upgrade extension (RFC 3207); the opportunistic encryption layer MTA-STS hardens. (Coming soon)
  • DNSSEC — DNS Security Extensions; required for DANE, optional but beneficial alongside MTA-STS. (Coming soon)
  • SPF, DKIM, DMARC — the message-authentication layer; complementary to MTA-STS's transport-authentication layer. Both are needed for full email security posture.

Frequently asked questions

What does MTA-STS solve that STARTTLS doesn't?

STARTTLS is opportunistic encryption — sending and receiving servers negotiate TLS during the SMTP handshake, but if the negotiation fails or is stripped by an attacker, mail still flows in plaintext. An attacker positioned in the network path can delete the "250 STARTTLS" response from the receiver's EHLO answer; the sender then assumes TLS isn't supported and sends in cleartext. This downgrade attack is invisible to both endpoints. MTA-STS publishes an out-of-band policy fetched over HTTPS that says "TLS is required to deliver to my domain" — a sending MTA that complies will refuse to deliver in plaintext when the policy mode is enforce, even if STARTTLS is stripped. The policy is cached based on max_age, so the attack window is bounded only by DNS-spoofing the very first fetch.

What are the three MTA-STS modes?

none — the domain explicitly disclaims any MTA-STS policy, used to remove a previously-published policy. testing — sending MTAs attempt TLS verification but deliver the message regardless of result; failures are reported via TLS-RPT. enforce — sending MTAs reject delivery if the receiver fails TLS verification (no valid certificate, hostname mismatch, MX not in policy, or TLS not offered). The standard rollout is to publish in testing mode for 2-4 weeks while monitoring TLS-RPT for unexpected failures, then switch to enforce only when the failure rate is near zero. Skipping the testing phase is the most common cause of email delivery loss after MTA-STS deployment.

How does MTA-STS deployment actually work?

Two coordinated components must exist before sending MTAs will respect the policy. (1) A DNS TXT record at _mta-sts.example.com containing v=STSv1; id=<changing-string> — the id changes whenever the policy changes, signaling MTAs to re-fetch. (2) An HTTPS-served policy file at mta-sts.example.com/.well-known/mta-sts.txt — must respond with HTTP 200 OK (no redirects), valid TLS certificate matching the mta-sts subdomain, declaring version: STSv1, mode: testing|enforce|none, mx: lines listing authorized MX hosts (wildcards allowed for left-most label only), and max_age: seconds (recommended ≥86400). The DNS record needs an A or AAAA record at mta-sts.example.com pointing to the HTTPS server.

Should I use MTA-STS or DANE?

MTA-STS if you don't have DNSSEC; both if you do. DANE (RFC 7672) provides stronger cryptographic guarantees by binding TLS certificates directly to DNS records signed with DNSSEC, eliminating the trust-on-first-use weakness of MTA-STS. But DNSSEC adoption sits below 30% of domains because of operational complexity, key management, and registrar support gaps. MTA-STS works without DNSSEC, has wider adoption among consumer providers (Gmail, Microsoft, Yahoo all support it), and includes a built-in testing mode that DANE lacks. The two are not mutually exclusive — domains with DNSSEC can publish both DANE TLSA records and MTA-STS policy. For most production deployments without DNSSEC, MTA-STS is the practical choice.

What is the trust-on-first-use weakness in MTA-STS?

The first time a sending MTA fetches your MTA-STS policy, it has no prior cache to compare against — if an attacker has DNS-spoofed the response and serves a fake policy with mode: none or no policy at all, the sending MTA accepts that as authoritative. The TOFU window is bounded by max_age (recommended ≥86400 seconds = 1 day). After the first successful fetch, the cached policy protects against DNS-spoofing for max_age seconds. DANE doesn't have this weakness because it relies on DNSSEC for authenticated DNS responses from the start. The practical impact: MTA-STS protects against ongoing downgrade attacks but not against an adversary who controls the network at the exact moment of first policy fetch. For most threat models, the TOFU window is acceptable.

What is TLS-RPT and why is it required for MTA-STS?

TLS-RPT (RFC 8460) is the reporting mechanism that tells you which sending MTAs successfully or unsuccessfully delivered to your domain under MTA-STS or DANE policies. Daily JSON reports list policy types, MX hosts contacted, total session counts, total failure counts, and per-failure-type breakdowns (TLS negotiation failure, certificate validation failure, policy mismatch, etc.). Without TLS-RPT, you have zero visibility into whether legitimate sending MTAs are failing your policy. The standard pattern: deploy MTA-STS in testing mode + TLS-RPT on day 1, monitor reports for 2-4 weeks, fix any unexpected failures, then advance to enforce mode. Publish a TXT record at _smtp._tls.example.com with v=TLSRPTv1; rua=mailto:tls-reports@example.com to receive reports.

Why does my Microsoft 365 MTA-STS deployment fail when receivers use CNAME on MX?

Microsoft Exchange Online enforces a stricter interpretation of RFC 8461 than most MTAs: when MTA-STS is active, Microsoft does NOT resolve CNAMEs on MX records. If your receiving domain uses a CNAME to alias its MX to another hostname (common pattern for hosted mail providers and email gateways), Microsoft's outbound delivery to your domain will fail MTA-STS checks and the email won't be sent. The workaround is to list the final target hostname in your MTA-STS policy mx: lines (the resolved A/AAAA destination), even though that doesn't strictly follow the RFC. Most other senders (Gmail, Yahoo) follow CNAMEs, so the issue is Microsoft-specific. Audit your MX records and policy mx: lines together to confirm the targets are reachable when CNAMEs are not resolved.

What are the most common MTA-STS deployment failures?

Based on URIports' 2026 survey of the Top 1M domains: missing A/AAAA records at mta-sts.example.com (34% of broken deployments) — the policy host hostname must resolve over HTTPS; missing or expired TLS certificate at mta-sts.example.com (high single-digit %); HTTP 3xx redirects from the policy URL (RFC 8461 forbids); policy file served with wrong Content-Type or MIME headers; mismatched version: directive (must be STSv1); MX patterns in policy that don't match actual MX records; max_age outside recommended range. About 1 in 5 published MTA-STS deployments has at least one of these issues. Validation tools (URIports, MxToolbox, CaptainDNS) check all components in a single test.

Need MTA-STS deployed correctly without the operational burden?

Cloud Server for Email's managed infrastructure includes hosted MTA-STS for every client sending domain — testing-mode rollout with TLS-RPT collection, coordinated transition to enforce, ongoing certificate management, and weekly failure-pattern review. Skip the webserver, the cert renewal, and the deployment surveys.

Talk to engineering →