Easiest Way To Publish mta-sts.txt For Your Domain
Mail Transfer Agent - Strict Transport Security (MTA-STS) increases the security of your email infrastructure by
enforcing encryption. It ensures STARTTLS is used when communicating with other SMTP servers to deliver email
messages. Although large organizations like Google, Yahoo, and Microsoft have been using MTA-STS for years, many
organizations are still waiting to jump on the bandwagon. One reason for waiting on the sidelines is the difficulties
of publishing mta-sts.txt document on a website. This page demonstrates a straightforward method for accomplishing this task.
Requirements for MTA-STS
In short, you need the following:
- Two TXT records are needed in your DNS server:
_smtp._tls.yourdomain.com - This is optional and is needed to process reports sent by other servers.
- A text file called
mta-sts.txt needs to be published.
Challenges in publishing mta-sts.txt
Configuring the DNS server with two TXT is trivial. The challenging part is publishing
mta-sts.txt file and the
primary reason preventing companies from adopting MTA-STS. These challenges arise from the following reason:
- The URL for this document must be
For example, here are the documents for
- This document is served using HTTPS on port 443.
- The host name in the URL is
mta-sts.yourdomain.com. Therefore, either you use a wildcard
or a multi-domain certificate.
- It needs to use a trusted SSL certificate that is not expired.
The above requirements means companies have to either invest in maintaining a web server that only serves one document, and
purchase additional SSL certificates or outsource this publishing to a service provider.
Easiest Way To Publish
Xeams provides a very simple and straightforward way of publishing
mta-sts.txt file through its web server. Following tasks are performed in the background:
- A suggested content for
mta-sts.txt is created for you.
- This text file is automatically served on the expected path:
- Values for TXT records are DNS are suggested for your domain and pushed to your DNS server with just a few mouse clicks,
provided you have integrated a DNS provider.
- A CNAME record is added in the DNS so
mta-sts.yourdomain.com points to the name where your MX is pointing.
- A multi-domain SSL certificate is created using Let's Encrypt.
- TLS-Reports sent to your server are accepted, processed and summarized automatically.
All of the above tasks are configured using simple mouse clicks, tremendously reducing the efforts involved in publishing
a MTA-STS policy for your domain. Refer
to this document for details. Click below to watch
a short video demonstrating these steps.
There are a few prerequisites before publishing the MTA-STS policy for your domain:
- You will need to install Xeams on a machine, either inside your LAN or somewhere on the cloud. For example, a
VPS server or AWS Marketplace.
The Community Edition will suffice.
- You will have to configure Xeams to listen on port 443 for HTTPS and will have to
- Integrate DNS your provider with Xeams. This will make pushing TXT to your DNS server easier. You will have to
configure DNS manually if this option is not enabled or is not available for your provider.
- Enable Let's Encrypt. You will have to use either a wildcard certificate or a multi-domain certificate if this option
is not enabled.
- After logging in to the web interface as an administrator, click Reports/MTA-STS & TLS-Reporting
- Select the desired domain name and click the Display button. If the domain name is not listed, go to
Server Configuration/SMTP Configuration to add a new domain.
- The following page will display four steps and there completion status.
- Step 1, 3, and 4 are straightforward. Xeams will create the necessary value for the two TXT records and
will display a button to add them into your DNS server, provided DNS provider is integrated.
- Click the Publish Now button to finish step# 2. This step has a few sub-steps, which will be displayed on the
- Adding either an "A" record or a "CNAME" record for
mta-sts.yourdomain.com. This step is
necessary so other servers know where to go for
https://mta-sts.yourdomain.com. You will
see a button to add this record to your DNS server.
- Updates to DNS server can take some time. Therefore, wait a few minutes to ensure the CNAME record is
available before you go to next step.
- Create SSL certificate. Recreate the certificate by clicking the Recreate button. Xeams will automatically
create a new certificate with the addional host names for
mta-sts. If you're using Let's Encrypt, you will
have to use a wildcard or a multi-domain certificate.
- Finally, restart Xeams so the new SSL certificate is applied.
Once done, open a browser and try fetching
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. You should see
the policy file.