Skip to content

MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers that your domain requires TLS-encrypted delivery and that the receiving server's certificate must be valid. It prevents downgrade attacks and STARTTLS stripping on inbound mail.

It works via two components:

  • A policy file served over HTTPS at a fixed URL on a subdomain
  • A DNS TXT record that advertises the policy exists and carries a version ID

Policy modes

Mode Behaviour
testing Policy is evaluated but not enforced — delivery proceeds even on TLS failure. Use during rollout.
enforce TLS failure causes the sending server to queue and retry rather than deliver in clear text.
none Disables a previously published policy.

Start with testing, monitor TLS-RPT reports, then move to enforce.

Step 1 — Create the policy file

The policy file must be named mta-sts.txt and served at:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Create a file with the following content (for Microsoft 365):

version: STSv1
mode: testing
mx: *.mail.protection.outlook.com
max_age: 86400

Line endings

The spec requires CRLF (\r\n) line endings. Most static hosts (including Cloudflare Pages) serve files as-is, so save the file with CRLF if your editor supports it. In practice, most senders accept LF-only files.

Field Description
version Always STSv1
mode testing, enforce, or none
mx MX hostname pattern(s) allowed to receive mail. Use one line per entry.
max_age How long (seconds) sending servers may cache the policy. 86400 = 1 day (good for testing); 604800 = 7 days (typical for enforce).

Step 2 — Deploy to Cloudflare Pages

Cloudflare Pages hosts the policy file and automatically provisions an HTTPS certificate for the custom subdomain.

Create the Pages project

  1. Cloudflare dashboard → Workers & Pages → Create → Pages → Upload assets
  2. Give the project a name (e.g., mta-sts-yourdomain)
  3. In the file upload area, create the folder structure: 
    .well-known/
  mta-sts.txt
  4. Upload the mta-sts.txt file inside a .well-known folder — the Pages deployment must mirror this path exactly
  5. Click Deploy site

Uploading a folder via drag-and-drop

In the Cloudflare Pages upload UI you can drag an entire folder. Create the .well-known folder locally, place mta-sts.txt inside it, then drag the .well-known folder into the upload area.

Add a _headers file (optional but recommended)

To ensure Cloudflare Pages serves the policy file with the correct content type, add a _headers file at the root of your upload alongside the .well-known folder:

/.well-known/mta-sts.txt
  Content-Type: text/plain

Upload the _headers file at the same level as .well-known/, then redeploy.

Step 3 — Add the custom domain to Pages

The policy must be served from mta-sts.yourdomain.com — the Pages project's default *.pages.dev URL is not valid for MTA-STS.

  1. In your Pages project → Custom domains → Set up a custom domain
  2. Enter mta-sts.yourdomain.com
  3. Cloudflare will prompt you to add a CNAME record — since your domain is already on Cloudflare, it adds this automatically
  4. Wait for the domain status to show Active (usually a few minutes)
  5. Verify the policy file is reachable:
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Step 4 — Publish the DNS TXT record

Add a TXT record to advertise that the policy exists:

Field Value
Type TXT
Name _mta-sts
Value v=STSv1; id=20240101000000Z
TTL Auto

The id value is a change token — it tells sending servers when the policy has been updated so they know to re-fetch it. It must:

  • Be 1–32 alphanumeric characters
  • Change every time you modify the policy file

Using a UTC timestamp (YYYYMMDDHHMMSSz) is the conventional format. Update it whenever you change mode, mx, or max_age.

id must match a live policy

If _mta-sts TXT record exists but the HTTPS endpoint returns a 404 or error, sending servers will treat this as a broken policy. Publish the DNS record only after the Pages deployment is confirmed working.

Step 5 — Configure TLS Reporting (TLS-RPT)

TLS-RPT (RFC 8460) instructs sending servers to email you daily reports on TLS connection failures. This is how you monitor for problems before switching to enforce mode.

Field Value
Type TXT
Name _smtp._tls
Value v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com

Use a mailbox you monitor, or a DMARC reporting service that also accepts TLS-RPT reports (e.g., Postmark DMARC).

Step 6 — Switch to enforce

Once TLS-RPT reports show no failures over 1–2 weeks:

  1. Update mta-sts.txt — change mode: testing to mode: enforce and increase max_age:

    version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800

  2. Redeploy the updated file to Cloudflare Pages

  3. Update the id in the _mta-sts DNS TXT record to a new timestamp:

    v=STSv1; id=20240201000000Z

Verification

# Check the DNS TXT record
dig TXT _mta-sts.yourdomain.com

# Check TLS-RPT record
dig TXT _smtp._tls.yourdomain.com

# Fetch the policy file
curl https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Use MXToolbox MTA-STS or HARDENIZE to run a full validation that checks both the DNS record and the hosted policy together.