What is the difference between testing and enforce?

testing only reports TLS errors via TLS-RPT but still delivers. enforce rejects on a TLS error. Best practice: 4–6 weeks testing, then enforce.

Where do I host the policy file?

At https://mta-sts. /.well-known/mta-sts.txt. The mta-sts. subdomain is mandatory. Mailantis can take over the hosting entirely (CNAME-based) on request.

What do I need to change in DNS?

Two records: TXT record _mta-sts. with v=STSv1; id= . Optionally a CNAME for mta-sts. to the hosting provider.

What are TLS-RPT failures?

Daily JSON reports about TLS problems between sending and receiving mail servers — broken handshakes, cert mismatches, cipher issues. More in the article Understanding TLS-RPT.

How often do I need to update the policy?

Only on MX changes. Then increment the id value and upload the policy file again. Recipients cache the policy up to max_age (typically 1 week).

Setting up MTA-STS — Mailantis Learn

The problem

Email between servers has been encrypted with TLS for years — but only opportunistically. If the receiving server offers no TLS (or an attacker suppresses it), communication falls back to plain text. This downgrade attack can happen silently and unnoticed.

What MTA-STS changes

With MTA-STS you publish a policy that requires sending servers to deliver only with a valid TLS certificate. If the certificate is missing or does not match the name, the mail is not delivered — instead of ending up in plain text.

The three building blocks

A TXT record in DNS that signals: "A policy exists."
The policy file, reachable over HTTPS.
Optional: TLS-RPT for delivery reports.

1. DNS TXT record

; TXT record for _mta-sts.firma.at
"v=STSv1; id=20250401120000"

The id value must change on every policy change (often used as a timestamp).

2. Policy file

Reachable at https://mta-sts.firma.at/.well-known/mta-sts.txt:

# mta-sts.txt
version: STSv1
mode: enforce
mx: mail.firma.at
mx: *.mail.firma.at
max_age: 604800

The three mode values:

Mode	Meaning
`none`	Policy disabled — for rollback.
`testing`	Errors are only reported, not enforced.
`enforce`	TLS errors lead to non-delivery.

Start with mode: testing. Only switch to enforce once the TLS-RPT reports look clean over several weeks. That prevents a misconfigured MX line from blocking your mail.

3. TLS-RPT — set up feedback

; TXT record for _smtp._tls.firma.at
"v=TLSRPTv1; rua=mailto:[email protected]"

Providers like Google, Microsoft and Yahoo send daily JSON reports: how many mails were successfully delivered via TLS, and which failed — including the reason.

Common mistakes

Policy host not reachable: mta-sts.firma.at must be reachable over HTTPS and present a valid certificate.
Missing MX entries: every MX server must be listed in the policy — otherwise delivery fails.
Straight to enforce: without a testing phase, you risk a typo stopping your entire mail delivery.

Why the effort is worthwhile

Without MTA-STS, email remains an attractive target for man-in-the-middle attacks. For regulated sectors (healthcare, finance, public sector), enforced TLS is increasingly mandatory — NIS2 addresses this explicitly.

Setting up MTA-STS — enforce TLS.