MTA-STS and TLS Reporting - Postmaster+ by OptiPub

MTA-STS (Mail Transfer Agent Strict Transport Security) and TLS Reporting

MTA-STS (Mail Transfer Agent Strict Transport Security) and TLS Reporting are protocols that help improve email transport security.

  1. MTA-STS: MTA-STS is a protocol that allows a domain to advertise that it supports secure (TLS) connections. When a sender's email server supports MTA-STS and sees this policy, it can securely deliver email to the recipient's server and prevent email interception and attacks that strip the TLS encryption. If the secure delivery fails, the message will not be delivered.

    The MTA-STS policy is published in two places: as a TXT record in the domain's DNS and as a file on a subdomain of the main domain served over HTTPS. The DNS record includes an ID that should match the ID in the policy file, and this is how the sender's email server can validate the policy.

  2. TLS Reporting (TLS-RPT): This is a protocol that provides a way for receiving email services to send reports back to domain owners about the success or failure of incoming secure (TLS) email connections. These reports can help domain owners identify and fix issues with their email security.

    The TLS-RPT policy is published as a TXT DNS record that includes the email address where reports should be sent.

These protocols are part of a suite of email security measures that can help protect against email interception and impersonation. They work alongside others like SPF, DKIM, and DMARC. As with those other protocols, it's important to set up MTA-STS and TLS Reporting correctly to avoid email delivery problems.

MTA-STS Configuration Options

Component Description Example
v (Version) Identifies the version of MTA-STS specification being used. v=STSv1
id (ID) A unique string used to identify the MTA-STS policy. It should be changed every time the policy is updated. id=20230514


TLS-RPT Configuration Options

Component Description Example
v (Version) Identifies the version of TLS-RPT specification being used. v=TLSRPTv1
rua (Reporting URI) Provides an email address to send aggregated TLS reports. The email address is usually a mailto: URI, but could also be a https: URI where reports are POSTed. rua=mailto:tlsrpt@example.com

How to setup MTA-STS

Setting up MTA-STS involves a few steps. Below, I've outlined a basic process. As with other DNS-based security measures, it's always a good idea to consult with an expert or do further reading before implementing these changes, as incorrect configuration can lead to problems with email delivery.

  1. Create the MTA-STS Policy: The first step is to create your MTA-STS policy. This is a text file that contains the details of your policy, including the version of MTA-STS you are using, the mode of the policy (whether it's in testing or enforce mode), the maximum age of the policy, and the MX hosts that are authorized to send mail for your domain. The policy might look something like this:

  2. version: STSv1
    mode: enforce
    mx: mail.example.com
    max_age: 604800

    In this policy, we're using version 1 of MTA-STS, we're in enforce mode (meaning that policy failures should result in mail being rejected), we're authorizing the host mail.example.com to send mail for our domain, and our policy will be valid for one week (604800 seconds).

  3. Host the MTA-STS Policy: The MTA-STS policy needs to be hosted at a specific HTTPS endpoint on your domain. The URL is https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. So, for example, if your domain was example.com, you would host your policy at https://mta-sts.example.com/.well-known/mta-sts.txt. You'll need to ensure that this server has a valid SSL certificate.

  4. Create the MTA-STS DNS Record: Next, you'll create a TXT record in your domain's DNS. The record should be at the subdomain _mta-sts, so for example.com, you would create a TXT record at _mta-sts.example.com. The value of the record should be v=STSv1; id=your_id, where your_id is a unique string that should be changed each time you update your policy.

  5. Test Your Configuration: Once your MTA-STS policy and DNS record are set up, you can test your configuration. There are online MTA-STS validators that can check your setup and help you identify any problems.

  6. Monitor and Update Your Policy: After setting up MTA-STS, you should monitor your email delivery to identify any issues. If you make changes to your email setup, remember to update your MTA-STS policy and change the id in your DNS record.

Note that this is a simplified overview and the specifics may vary depending on your email system and hosting environment.

How to setup TLS-RPT

    Setting up TLS Reporting (TLS-RPT) involves creating a DNS TXT record for your domain. Here's a basic process on how to do this:

    1. Choose a Report Destination: Decide where you want to receive your TLS reports. This could be an email address or a HTTPS endpoint. Keep in mind that the reports may contain a lot of data, so choose a destination that can handle this.

    2. Create the TLS-RPT DNS Record: You'll need to create a TXT record in your domain's DNS. The host should be _smtp._tls, followed by your domain. So for example, if your domain is example.com, you'd create a TXT record at _smtp._tls.example.com.

      The value of the record should be v=TLSRPTv1; rua=mailto:your_email@example.com (replace your_email@example.com with your actual report destination). If you're using a HTTPS endpoint for your reports, replace mailto:your_email@example.com with the URL of your endpoint (for example, https://your_endpoint.com/report).

    3. Wait for Reports: Once you've set up the DNS record, email servers that support TLS-RPT will start sending you reports about their attempts to deliver email to your domain. You can use these reports to identify and fix problems with your email setup.