Increase SMTP security (MTA-STS and TLS)
2. Create an MTA-STS policy
Set up MTA-STS for your domains by creating and publishing a policy for each domain. The policy defines the mail servers in the domain that have MTA-STS applied.
You must create a separate policy file for each domain. The policies can be identical but must be hosted separately for each domain that uses MTA-STS.
Server requirements for MTA-STS
Verify the following for your mail servers that get incoming mail:
- They require mail be transmitted via a secure (TLS) connection.
- They use TLS version 1.2.
- The server TLS certificates:
- Match the domain name used by the inbound mail server (the server in your MX records).
- Are signed and trusted by a root certificate authority.
- Are not expired.
Learn more about TLS certificates at Use G Suite certificates for secure transport (TLS).
You can set up an MTA-STS policy in testing mode or enforced mode.
Testing mode requests that external mail servers send you daily reports about information detected when connecting to your domain. Reports include information about detected MTA-STS policies, traffic statistics, failed connections, and messages that couldn’t be sent.
In testing mode, your domain only requests reports. This mode does not enforce any connection security required by MTA-STS. We recommend starting with testing mode for two weeks. Two weeks of report data is enough to learn about and fix any problems with your domain.
Use the information in the daily reports to resolve encryption or other security issues with your server or domain. Then, change the policy to enforced mode.
When the policy is in enforced mode, your domain requests that external servers verify the SMTP connection is encrypted and authenticated. If the connection is not both encrypted and authenticated:
- Servers that support MTA-STS will not send mail to your domain.
- Servers that don't support MTA-STS continue to send messages to your domain over SMTP connections as they normally do. These SMTP connections might not be encrypted.
In enforced mode, you continue to receive the daily reports from external servers.
Create a policy file
The policy file is a plain text file that contains key and value pairs, one pair per line. The maximum recommended size for a policy file is 64 KB.
Policy file name: The file name for the text file must be mta-sts.txt
Updating policy files: You must update the policy file every time you add or change mail servers, or change the domain.
Policy file format: The version field must be in the first line of the policy. The other fields can be in any order. Here's an example policy text file:
Policy file contents: The policy must include all of these key and value pairs:
|version||Protocol version. Must be STSv1|
MX record for the domain.
Learn more about MX records and MX record values.
Maximum length of time in seconds the policy is valid. The max_age is reset for an external server every time the policy is accessed by that server. So, external servers have different expiration dates for the same policy.
Must be between 86400 (one day) and 31557600 (about one year).
For testing mode, we recommend between 604800 to 1209600 (1-2 weeks).