Easiest Way To Publish mta-sts.txt For Your Domain

Mail Transfer Agent - Strict Transport Security (MTA-STS) increases the security of your email infrastructure by enforcing encryption. It ensures STARTTLS is used when communicating with other SMTP servers to deliver email messages. Although large organizations like Google, Yahoo, and Microsoft have been using MTA-STS for years, many organizations are still waiting to jump on the bandwagon. One reason for waiting on the sidelines is the difficulties of publishing mta-sts.txt document on a website. This page demonstrates a straightforward method for accomplishing this task.

Requirements for MTA-STS

In short, you need the following:

  • Two TXT records are needed in your DNS server:
    1. _mta-sts.yourdomain.com
    2. _smtp._tls.yourdomain.com - This is optional and is needed to process reports sent by other servers.

  • A text file called mta-sts.txt needs to be published.

Challenges in publishing mta-sts.txt

Configuring the DNS server with two TXT is trivial. The challenging part is publishing mta-sts.txt file and the primary reason preventing companies from adopting MTA-STS. These challenges arise from the following reason:

  • The URL for this document must be https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. For example, here are the documents for Google, Microsoft, and Synametrics.
  • This document is served using HTTPS on port 443.
  • The host name in the URL is mta-sts.yourdomain.com. Therefore, either you use a wildcard or a multi-domain certificate.
  • It needs to use a trusted SSL certificate that is not expired.

The above requirements means companies have to either invest in maintaining a web server that only serves one document, and purchase additional SSL certificates or outsource this publishing to a service provider.

Easiest Way To Publish

Xeams provides a very simple and straightforward way of publishing mta-sts.txt file through its web server. Following tasks are performed in the background:

  • A suggested content for mta-sts.txt is created for you.
  • This text file is automatically served on the expected path: .well-known/mta-sts.txt.
  • Values for TXT records are DNS are suggested for your domain and pushed to your DNS server with just a few mouse clicks, provided you have integrated a DNS provider.
  • A CNAME record is added in the DNS so mta-sts.yourdomain.com points to the name where your MX is pointing.
  • A multi-domain SSL certificate is created using Let's Encrypt.
  • TLS-Reports sent to your server are accepted, processed and summarized automatically.

All of the above tasks are configured using simple mouse clicks, tremendously reducing the efforts involved in publishing a MTA-STS policy for your domain. Refer to this document for details. Click below to watch a short video demonstrating these steps.

Video

Instructions

There are a few prerequisites before publishing the MTA-STS policy for your domain:

  • You will need to install Xeams on a machine, either inside your LAN or somewhere on the cloud. For example, a VPS server or AWS Marketplace. The Community Edition will suffice.
  • You will have to configure Xeams to listen on port 443 for HTTPS and will have to enable STARTTLS.

Optional Features

  • Integrate DNS your provider with Xeams. This will make pushing TXT to your DNS server easier. You will have to configure DNS manually if this option is not enabled or is not available for your provider.
  • Enable Let's Encrypt. You will have to use either a wildcard certificate or a multi-domain certificate if this option is not enabled.

Step-by-Step Instructions

  • After logging in to the web interface as an administrator, click Reports/MTA-STS & TLS-Reporting
  • Select the desired domain name and click the Display button. If the domain name is not listed, go to Server Configuration/SMTP Configuration to add a new domain.
  • The following page will display four steps and there completion status.
  • Step 1, 3, and 4 are straightforward. Xeams will create the necessary value for the two TXT records and will display a button to add them into your DNS server, provided DNS provider is integrated.
  • Click the Publish Now button to finish step# 2. This step has a few sub-steps, which will be displayed on the following page:
    • Adding either an "A" record or a "CNAME" record for mta-sts.yourdomain.com. This step is necessary so other servers know where to go for https://mta-sts.yourdomain.com. You will see a button to add this record to your DNS server.
    • Updates to DNS server can take some time. Therefore, wait a few minutes to ensure the CNAME record is available before you go to next step.
    • Create SSL certificate. Recreate the certificate by clicking the Recreate button. Xeams will automatically create a new certificate with the addional host names for mta-sts. If you're using Let's Encrypt, you will have to use a wildcard or a multi-domain certificate.
  • Finally, restart Xeams so the new SSL certificate is applied.

Once done, open a browser and try fetching https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. You should see the policy file.