Increase email security with MTA-STS and TLS reports
2. Create an MTA-STS policy
Set up MTA-STS for your domains by creating and publishing a policy for each domain. The policy defines the mail servers in the domain that use MTA-STS.
Each domain must have a separate policy file. The policies can be the same but they must be hosted separately for each domain using MTA-STS.
Server requirements for MTA-STS
Verify the following for your mail servers that get incoming mail:
- They require mail be transmitted via a secure (TLS) connection.
- They use TLS version 1.2 or later
- The server TLS certificates:
- Match the domain name used by the inbound mail server (the server in your MX records).
- Are signed and trusted by a root certificate authority.
- Are not expired.
Learn more about TLS certificates at Use G Suite certificates for secure transport (TLS).
You can set up an MTA-STS policy in testing mode or enforce mode.
Testing mode requests that external mail servers send you daily reports. The reports have information about issues detected when connecting to your domain. Reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and unsent message details.
In testing mode, your domain only requests reports. This mode does not enforce any connection security required by MTA-STS. We recommend starting with testing mode for 2 weeks. 2 weeks of report data is enough to learn about and fix any problems with your domain.
Use the information in the daily reports to resolve encryption or other security issues with your server or domain. Then, change the policy to enforce mode.
When the policy is in enforce mode, your domain requests external servers to verify the SMTP connection is both encrypted and authenticated.
If the connection is not both encrypted and authenticated:
- Servers that support MTA-STS will not send mail to your domain.
- Servers that don't support MTA-STS continue to send messages to your domain over SMTP connections as they normally do. These SMTP connections might not be encrypted.
In enforce mode, you continue to receive the daily reports from external servers.
Create a policy file
The policy file is a plain text file that has key and value pairs. Each pair must be on its own line in the text file, as shown in the example below. The policy text file size can be up to 64 KB.
Policy filename: The filename for the text file must be mta-sts.txt
Updating policy files: Update the policy file every time you add or change mail servers, or change the domain.
Policy file format: The version field must be in the first line of the policy. The other fields can be in any order. Here's an example policy file:
Policy file contents: The policy must include all of these key and value pairs. To get a policy that is customized for your domain, follow the steps in Check MTA-STS status and get suggested configurations.
|version||Protocol version. Must be STSv1|
MX record for the domain.
Learn more about MX records and MX record values.
Maximum time in seconds the policy is valid. The max_age is reset for an external server every time the server checks the policy. So, external servers can have different expiration dates for the same policy.
The value must be between 86400 (1 day) and 31557600 (about 1 year).
For testing mode, we recommend between 604800 and 1209600 (1–2 weeks).