Increase SMTP security (MTA-STS and TLS)

2. Create an MTA-STS policy

Increase email security with authentication and encryption

Set up MTA-STS for your domains by creating and publishing a policy for each domain. The policy defines the mail servers in the domain that have MTA-STS applied.

You must create a separate policy file for each domain. The policies can be identical but must be hosted separately for each domain that uses MTA-STS.

Server requirements for MTA-STS

Verify the following for your mail servers that get incoming mail:

Learn more about TLS certificates at Use G Suite certificates for secure transport (TLS).

Policy modes and MTA-STS deployment

You can set up an MTA-STS policy in testing mode or enforced mode.

Testing mode

Testing mode requests that external mail servers send you daily reports about information detected when connecting to your domain. Reports include information about detected MTA-STS policies, traffic statistics, failed connections, and messages that couldn’t be sent.

In testing mode, your domain only requests reports. This mode does not enforce any connection security required by MTA-STS. We recommend starting with testing mode for two weeks. Two weeks of report data is enough to learn about and fix any problems with your domain.

Use the information in the daily reports to resolve encryption or other security issues with your server or domain. Then, change the policy to enforced mode.

Enforced mode

When the policy is in enforced mode, your domain requests that external servers verify the SMTP connection is encrypted and authenticated. If the connection is not both encrypted and authenticated:

  • Servers that support MTA-STS will not send mail to your domain.
  • Servers that don't support MTA-STS continue to send messages to your domain over SMTP connections as they normally do. These SMTP connections might not be encrypted.

In enforced mode, you continue to receive the daily reports from external servers.

Create a policy file

The policy file is a plain text file that contains key and value pairs, one pair per line. The maximum policy file size is 64 KB.

Policy file name: The file name for the text file must be mta-sts.txt

Updating policy files: You must update the policy file every time you add or change mail servers, or change the domain.

Policy file format: The version field must be in the first line of the policy. The other fields can be in any order. Here's an example policy text file:

version: STSv1
mode: testing
mx: mail.solarmora.com
mx: *.solarmora.net
mx: backupmx.solarmora.com
max_age: 604800

Policy file contents: The policy must include all of these key and value pairs.

Key Value
version Protocol version. Must be STSv1
mode

Policy mode:

  • testing: External servers send you reports about encryption and other issues detected when connecting to your domain. MTA-STS encryption and authentication requirements are not enforced

  • enforce: Mail servers that support MTA-STS will not send messages to your domain if the SMTP connection doesn't have authentication and encryption.You also get reports from external servers about connection issues.

  • none: Tells external servers that your domain no longer supports MTA-STS. Use this value if you stop using MTA-STS. Learn about Removing MTA-STS (RFC 8461).

mx

MX record for the domain.

  • The policy must have an mx entry for each MX record added to the domain.
  • Each mx entry must be on its own line in the policy file, as shown in the example.
  • The mail server name must be in standard Subject Alternative Name (SAN) format.
  • The mx value must be in one of the formats shown in these examples:

    Specify a single server in standard MX form: alt1.aspmx.solarmora.com

    Use a wildcard to specify servers that match a naming pattern. The wildcard character replaces one leftmost label only: *.solarmora.com

Learn more about MX records and MX record values.

max_age

Maximum length of time in seconds the policy is valid. The max_age is reset for an external server every time the policy is accessed by that server. So, external servers have different expiration dates for the same policy.

Must be between 86400 (one day) and 31557600 (about one year).

For testing mode, we recommend between 604800 to 1209600 (1-2 weeks).

Next Steps

Publish your MTA-STS policy

Was this helpful?
How can we improve it?