Increase SMTP security (MTA-STS and TLS)

4. Turn on MTA-STS and TLS reporting

Increase email security with authentication and encryption

Turn on MTA-STS and TLS reporting for your domain by updating the Domain Name System (DNS) records for the domain. The DNS records signal to external servers that:

  • Your domain requires authentication and encryption for SMTP connections.
  • You can get TLS reports from servers in other domains.

Create a mailbox to get reports

When you turn on MTA-STS and TLS reporting for your domain, external servers send you reports about connecting to your servers. Reports include information about detected MTA-STS policies, traffic statistics, failed connections, and messages that couldn’t be sent. Here is an example report.

Set up one or more email addresses for your domain to receive these reports before you turn on TLS reporting. The DNS TXT record for TLS reporting includes the email address you create to get reports.

Some example email addresses for TLS reports are:
tls-report@solarmora.com
mta-sts@solarmora.com

Note: You can specify that servers upload TLS reports to a web server, instead of sending reports in email. This option requires an API, which is not provided by G Suite. Learn how to set up Report using HTTPS (RFC 84660).

Update DNS Records

About DNS TXT records

To turn on MTA-STS and TLS reporting, update your domain settings with two DNS TXT records. A TXT record is a DNS record that contains text information used by sources outside of your domain.

Add these records to your domain settings at your domain host, not in your Google Admin console.

Learn more about working with TXT records in Tips for updating DNS TXT records.

Add DNS TXT records

Replace the example domain in these steps with your domain.

We recommend you add the DNS TXT records in this order to turn on TLS reporting first, then turn on MTA-STS:

  1. Sign in to the management console for your domain provider.
  2. Locate the page where you update DNS records.

    Subdomains: If your domain host doesn't support updating subdomain DNS records, add the record to the parent domain. Learn how to update DNS records for a subdomain.

  3. Add a DNS record at _smtp._tls:

    TXT record name: In the first field, under DNS Host name, enter:
    _smtp._tls.solarmora.com

    TXT record value: In the second field, enter:
    v=TLSRPTv1; rua=mailto:tlsrpt@solarmora.com

    rua: The email address you created to get reports. To get reports at multiple emails, separate the email addresses with commas:
    v=TLSRPTv1; rua=mailto:tlsrpt@solarmora.com,mailto:mts-sts@solarmora.com

    Note: Syntax for the HTTPS report delivery option is described in Report using HTTPS (RFC 84660).

  4. Add a DNS record at _mta-sts:

    TXT record name: In the first field, under DNS Host name, enter:
    _mta-sts.solarmora.com

    TXT record value: In the second field, enter:
    v=STSv1; id=20190425085700

    id: Must be 1–32 alphanumeric characters. The ID signals to external servers that your domain supports MTA-STS.

    You must update the ID to a new, unique value every time you change your MTA-STS policy. External servers use the updated ID value to determine when your policy changed. We recommend using the current date and time for this value so you know when your policy last changed.
     
  5. Save your changes.

Verify MTA-STS and TLS reporting are turned on

Check your MTA-STS configuration on the Security Health page to verify that your policy and DNS TXT records are valid, and MTA-STS and TLS reporting are correctly set up.

Note: The time for changed DNS records to take effect is based on the Time To Live (TTL) value for the record. Each of your domain’s DNS records has a TTL. Depending on the TTL, it can take up to 24 hours for changes to take effect. Learn more about TTL and recommended values.

Tips for updating DNS TXT records

Field names: Domain providers use different names for the fields associated with a TXT record. For example, GoDaddy labels the fields TXT Name and TXT Value. Name.com labels the fields Record Host and Record Answer. For most providers, the first field is the DNS Host name (TXT record name) and the second field is the TXT record value.

EasyDNS: If your domain provider is EasyDNS, add a period and your domain name to the end of the DNS Host name (TXT record name) value. Enter the value in this format, where solarmora.com is the name of your domain: google._domainkey.solarmora.com.

Working with TXT records: Learn more about creating and working with TXT records in these articles:​

 

Was this helpful?
How can we improve it?