Duet AI is now Gemini for Google Workspace. Learn more

Increase email security with MTA-STS and TLS reporting

4. Turn on MTA-STS and TLS reporting

Increase email security with authentication and encryption

To turn on MTA-STS and TLS reporting for your domain, update the DNS TXT records for the domain. The DNS records signal to external servers that:

  • Your domain requires authentication and encryption for SMTP connections.
  • You can get TLS reports from servers in other domains.

A TXT record is a DNS record that has text information used by sources outside your domain. Learn more about working with DNS TXT records.

Create a mailbox to get reports

When you turn on MTA-STS and TLS reporting for your domain, external servers send you reports about connections to your servers. Reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and unsent messages.

This is an example TLS report.

Before you turn on reporting, set up one or more email addresses for your domain to get reports. The DNS TXT record for TLS reporting includes the email address you create to get reports.

Some example email addresses for TLS reports are:

Note: You can specify that servers upload TLS reports to a web server, instead of sending reports in email. This option requires an API that is not provided by Google Workspace. Learn more at Report using HTTPS (RFC 8460).

Update DNS Records

To turn on MTA-STS and TLS reporting, update your domain settings with two DNS TXT records, added at the following subdomains:

  • _smtp._tls
  • _mta-sts

Important: Add these records to your domain settings at your domain host, not in your Google Admin console.

Get recommended DNS TXT records

To get DNS TXT records that are customized for your domain, follow the steps in Check MTA-STS status and get suggested configurations.

Add DNS TXT records

Important: Replace the example domain (solarmora) in these steps with your own domain.

We recommend you add the DNS TXT records in this order to turn on TLS reporting first, then turn on MTA-STS:

  1. Sign in to the management console for your domain provider.
  2. Locate the page where you update DNS records.
  3. To turn on TLS reporting, add a DNS record at _smtp._tls:

    TXT record name: In the first field, under DNS Host name, enter:

    TXT record value: In the second field, enter:

    rua: The email address you created to get reports. To get reports at multiple emails, separate the email addresses with commas:

    Note: Syntax for the HTTPS report delivery option is described in Report using HTTPS (RFC 8460).

  4. To turn on MTA-STS for the domain, add a DNS record at _mta-sts:

    TXT record name: In the first field, under DNS Host name, enter:

    TXT record value: In the second field, enter:
    v=STSv1; id=20190425085700

    id: Must be 1–32 alphanumeric characters. The ID signals to external servers that your domain supports MTA-STS.

    Update the id to a new, unique value every time you change your MTA-STS policy. External servers use the updated id value to determine when your policy changed. We recommend using the current date and time for the id value so you know when your policy last changed.
  5. Save your changes.

Verify MTA-STS and TLS reporting are turned on

To verify that MTA-STS and TLS reporting are correctly set up, check your MTA-STS configuration on the Security Health page.

Note: The time for changed DNS records to take effect is based on the Time To Live (TTL) value for the record. Each of your domain’s DNS records has a TTL. Depending on the TTL, it can take up to 24 hours for changes to take effect. Learn more about TTL and recommended values.


Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu