MTA-STS Hosting

MailShield can host your MTA-STS policy, simplifying the deployment of strict transport security for email.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that:

Enforces TLS encryption for email delivery
Prevents downgrade attacks
Protects against man-in-the-middle attacks
Requires certificates to be valid

Learn more about MTA-STS →

Why Use MailShield Hosting?

Without MailShield

To deploy MTA-STS yourself, you need:

A DNS TXT record at _mta-sts.yourdomain.com
A web server at mta-sts.yourdomain.com
Valid HTTPS certificate
Policy file at /.well-known/mta-sts.txt
Ongoing maintenance and monitoring

With MailShield

MailShield handles:

✅ Policy file hosting
✅ Automatic HTTPS certificates
✅ High availability infrastructure
✅ Policy validation
✅ Continuous monitoring and alerts

You only add 2 DNS records:

mta-sts.yourdomain.com    CNAME   mta-sts.mailshield.app
_mta-sts.yourdomain.com   TXT     "v=STSv1; id=YOUR-POLICY-ID"

Setting Up MTA-STS Hosting

Step 1: Configure Your Policy

Navigate to Domains → [Your Domain] → MTA-STS
Enable MTA-STS if not already enabled
Configure your policy settings:

Option	Description
Mode	`testing` (report issues) or `enforce` (require TLS)
MX Hosts	Your mail server hostnames
Max Age	How long senders cache the policy (seconds)

Toggle Hosted by MailShield to enable hosted mode
Click Save Configuration

Step 2: Copy Your Policy ID

After saving, MailShield generates a unique Policy ID for your domain. You'll see:

The Policy ID displayed (e.g., 20240115120000)
A Rotate ID button to generate a new ID when needed

TIP

The Policy ID changes whenever your policy is updated. Always update your DNS TXT record when the ID changes.

Step 3: Add DNS Records

Add these two DNS records at your domain registrar:

CNAME Record (for the policy file):

mta-sts.yourdomain.com.  CNAME  mta-sts.mailshield.app.

TXT Record (to signal MTA-STS is enabled):

_mta-sts.yourdomain.com.  TXT  "v=STSv1; id=YOUR-POLICY-ID"

Replace YOUR-POLICY-ID with the Policy ID shown in MailShield.

Step 4: Verify Configuration

Click Check DNS Configuration in MailShield
MailShield verifies:
- ✓ CNAME record points to mta-sts.mailshield.app
- ✓ TXT record contains correct policy ID
Both checks should show green checkmarks when configured correctly

DNS Propagation

DNS changes can take up to 48 hours to propagate. If checks fail immediately after adding records, wait and try again.

Managing Your Policy

Updating Policy Settings

When you change your MTA-STS policy (mode, MX hosts, or max age):

Update settings in MailShield and save
Click Rotate ID to generate a new policy ID
Update your DNS TXT record with the new ID
Click Check DNS Configuration to verify

Rotating the Policy ID

The Rotate ID button generates a new policy ID. Use this when:

You've changed your policy settings
You want to force senders to re-fetch your policy
You're troubleshooting caching issues

After rotating:

Copy the new Policy ID
Update your _mta-sts TXT record
Wait for DNS propagation
Verify with Check DNS Configuration

DNS Check Results

The Check DNS Configuration button verifies:

Check	What It Validates
CNAME/IP	`mta-sts.` subdomain points to MailShield
TXT Record	`_mta-sts.` contains correct `v=STSv1; id=...`

Each check shows:

✅ Green checkmark: Correctly configured
❌ Red X: Configuration issue (with details)

Policy Options

Mode

Mode	Behavior
testing	Senders report failures but still deliver mail
enforce	Senders must use TLS or reject delivery

Recommended approach:

Start with testing mode
Configure TLS-RPT to receive failure reports
Monitor for 2-4 weeks
Fix any issues discovered
Switch to enforce mode

MX Hosts

List all mail servers that receive email for your domain:

mail.yourdomain.com
mail2.yourdomain.com
*.mail.yourdomain.com

Important:

Include all hosts from your MX records
Wildcards are supported (*.example.com)
Hosts must have valid TLS certificates

Max Age

How long senders cache your policy:

Duration	Seconds	Use Case
1 day	86400	Testing, frequent changes
1 week	604800	Standard operation
1 month	2592000	Stable configuration

Recommendation: Start with 1 day during testing, increase after stabilization.

How It Works

When a sending mail server wants to deliver email to your domain:

1. Sender queries _mta-sts.yourdomain.com TXT
   → Gets: v=STSv1; id=20240115120000

2. Sender fetches https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
   → Your CNAME redirects to mta-sts.mailshield.app
   → MailShield serves your policy

3. Sender reads policy:
   → mode: enforce
   → mx: mail.yourdomain.com
   → max_age: 604800

4. Sender connects to your mail server with TLS
   → Verifies certificate matches MX host
   → Delivers email securely

Monitoring

MailShield continuously monitors your MTA-STS configuration:

Automatic Checks (Every 2 Hours)

DNS record exists and is correct
Policy file is accessible
Policy ID matches DNS record
MX hosts in policy match your MX records

Alerts

Get notified when:

DNS stops pointing to MailShield
Policy ID mismatch detected
MX hosts don't match DNS records
Configuration changes unexpectedly

TLS-RPT Integration

For complete visibility, also configure TLS-RPT:

_smtp._tls.yourdomain.com.  TXT  "v=TLSRPTv1; rua=mailto:YOUR-ID@reports.mailshield.app"

This enables:

Reports on TLS connection attempts
Failure notifications from sending servers
Statistics on MTA-STS effectiveness

Learn more about TLS-RPT →

Troubleshooting

CNAME Check Failing

"CNAME points to wrong target"

Verify CNAME value is exactly mta-sts.mailshield.app
Remove any trailing dots if your registrar adds them automatically

"No CNAME, A, or AAAA records found"

DNS record not created or hasn't propagated
Wait up to 48 hours for propagation
Verify at your registrar that the record exists

TXT Record Check Failing

"TXT record has wrong ID"

Update the TXT record with the current Policy ID from MailShield
Make sure to include the full value: v=STSv1; id=YOUR-ID

"TXT record missing v=STSv1"

Ensure the record format is correct
Check for typos or extra spaces

"No TXT record found"

Create the TXT record at _mta-sts.yourdomain.com
Note the underscore prefix

Policy Not Loading

If sending servers can't fetch your policy:

Verify CNAME is correctly pointing to MailShield
Ensure Hosted by MailShield is enabled
Check that MTA-STS is enabled
Click Check DNS Configuration to diagnose

Migrating to MailShield Hosting

If you're currently self-hosting MTA-STS:

Configure your policy in MailShield (same settings)
Enable Hosted by MailShield
Note the new Policy ID
Update DNS:
- Add CNAME for mta-sts. pointing to MailShield
- Update TXT record with new Policy ID
Remove your old web server after DNS propagates
Verify with Check DNS Configuration

Best Practices

Start in testing mode to identify issues before enforcing
Configure TLS-RPT for visibility into connection failures
Monitor reports for 2-4 weeks before switching to enforce
Keep MX hosts updated when changing mail servers
Use reasonable max_age - 1 week is a good default
Rotate Policy ID whenever you change settings
Verify DNS after any changes using the Check DNS button

MTA-STS Hosting ​

What is MTA-STS? ​

Why Use MailShield Hosting? ​

Without MailShield ​

With MailShield ​

Setting Up MTA-STS Hosting ​

Step 1: Configure Your Policy ​

Step 2: Copy Your Policy ID ​

Step 3: Add DNS Records ​

Step 4: Verify Configuration ​

Managing Your Policy ​

Updating Policy Settings ​

Rotating the Policy ID ​

DNS Check Results ​

Policy Options ​

Mode ​

MX Hosts ​

Max Age ​

How It Works ​

Monitoring ​

Automatic Checks (Every 2 Hours) ​

Alerts ​

TLS-RPT Integration ​

Troubleshooting ​

CNAME Check Failing ​

TXT Record Check Failing ​

Policy Not Loading ​

Migrating to MailShield Hosting ​

Best Practices ​