Skip to end of metadata
Go to start of metadata


Steps to setup MTA-STS for inbound mail

  • Create two DNS records TXT records, one for advertising mta_sts and one for reporting issues with TLS connectivity
  • Spin up a new website with the domain prefix of mta-sts and a file with your configuration
  • Verify your mail server works with starttls before setting enforce or else you can lose email. 
  • Make sure the TLS certificates are valid and not user created. You can use Let's Encrypt to get some for free as needed.

DNS Records       TXT     "v=STSv1; id=3"     TXT     "v=TLSRPTv1; rua=mailto:tlsrpt@youremaildomainhere"

The id field should be incremented each time you change the file on the webserver.

Website setup

Setup the website

You're going to want to make sure this is available over TLS. 

Create a new file


Example content

version: STSv1
mode: enforce
max_age: 604800

Mode should be either enforce or testing. The recommended max age should be 2+ weeks. We're using a lower amount here.



If you are running postfix, you can install the py-postfix-mta-sts-resolver port.  This will validate TLS support for other mail servers by using the MTA-STS records. It also offers the option of caching with Redis or Sqlite3. 

You would active it in postfix with the following in 

smtp_tls_policy_maps = socketmap:inet:

Here is an example config file mta-sts-daemon.yml with redis configured. 

port: 8461
reuse_port: true
shutdown_timeout: 20
  type: redis
    address: "redis://"
    minsize: 5
    maxsize: 25
  strict_testing: true
  timeout: 4
    strict_testing: false
    timeout: 4


At this time, we haven't found a way to validate on sendmail.  There are some patches floating around for the debian package on linux for DANE but not for MTA-STS. 

  • No labels
Write a comment...