Increase email security with MTA-STS and TLS reporting

Turn off MTA-STS

Increase email security with authentication and encryption

There might be times when you want to turn off MTA-STS for your domain. For example, you might be troubleshooting your mail server configuration or changing mail providers. MTA-STS is turned on per domain. If you have more than one domain, turn off MTA-STS separately for each domain.

Option 1: Change the mode for your MTA-STS policy

MTA-STS turned off in 24 hours or less.

MTA-STS policies have 3 modes. Active policies use enforce or testing mode. You can turn off MTA-STS with a policy in none mode. To learn more about MTA-STS policy files and modes, review Create an MTA-STS policy.

Step 1: Update your policy file on your local computer

Update the policy file you created when you turned on MTA-STS for your domain. If you don’t have a copy of the file, you can download it from your domain’s public web server at this location. Replace this example domain with your domain:

https://mta-sts.solarmora.com/.well-known/mta-sts.txt

Update the file:

  • Change the mode value to none.
  • Change the max_age value to 86400 (about one day).
  • Remove all mx key value pairs (all lines that start with mx).

Below is an example policy file. The left column is an active MTA-STS policy. The right column is the same policy updated to turn off MTA-STS. The domain in the active policy is an example domain.

Active MTA-STS policy MTA-STS policy in none mode
version: STSv1
mode: enforced
mx: mail.solarmora.com
mx: *.solarmora.net
mx: backupmx.solarmora.com
max_age: 604800
version: STSv1
mode: none
max_age: 86400

Step 2: Upload updated policy file to your domain's public server

Note: If you’ve never published an MTA-STS policy file, review detailed steps in Publish your MTA-STS policy.

Upload the updated policy file to the same web server and directory as the current policy file. The new file should overwrite the current file at:

https://mta-sts.solarmora.com/.well-known/mta-sts.txt

Step 3: Change the ID in your MTA-STS DNS TXT record

Note: Detailed steps for updating DNS TXT records are in Turn on MTA-STS and TLS reporting. You can also check with your domain provider for instructions for managing DNS TXT records for your domain.

  1. Sign in to your domain management console and locate the page where you manage DNS records for your domain.
  2. Find the MTA-STS TXT record for your domain. The label will be _mta-sts: or something similar.
  3. Change the ID value in TXT record value field. This is usually the second field. The ID value must be different than the current value and can be up to 32 letters and numbers, for example:
    id=20200425085700
  4. Save your changes.

An updated DNS TXT record takes effect based on the Time To Live (TTL) value for the record. Each TXT record for your domain has a TTL.

Depending on the TTL, it can take up to 24 hours for DNS record changes to take effect. Learn more about TTL and recommended values.

Option 2: Delete your MTA-STS DNS TXT record

MTA-STS turned off when policy expires, from one day to one year.

With this method, MTA-STS is turned off after the current and previous policies expire.

Some remote sites might have stored a previous policy version in the cache. Previous policies can have a later expiration date than your current policy.

Step 1: Verify the policy expiration time

When you create a policy file, you set the policy expiration time with the max_age value. The expiration time can be from one day to about one year and resets every time an external mail server checks the policy.

You can verify the current policy expiration time in the policy file. View the file on your web server at this location (replace the example domain with your domain):

https://mta-sts.solarmora.com/.well-known/mta-sts.txt

The max_age value is in seconds.

If the policy expiration is too long, use the first method in this article, Option 1: Change the mode for your MTA-STS policy.

Step 2: Delete the MTA-STS record for your domain

Do this step in the console you use to manage your domain. You can also check with your domain provider for instructions to delete TXT records.

  1. Sign in to your domain management console and locate the page where you manage DNS records for your domain.
  2. Find the MTA-STS TXT record for your domain. The label will be _mta-sts: or something similar.
  3. Delete the TXT record.
  4. Save your changes.

MTA-STS is turned off for your domain when the policy with the longest expiration time expires.

Related topics

Was this helpful?
How can we improve it?