What are the components of MTA-STS (policy file, DNS record)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

MTA-STS has two pieces that work together, and they need each other to function. You can't skip either one.

The first is a DNS TXT record. It's published at a special subdomain of your domain: _mta-sts.yourdomain.com. This record is like a public notice. It says "Hey, I've got an MTA-STS policy for my domain." The record itself is tiny. It just contains the policy version and an ID number. That's it. Its job is to announce that a policy exists and help mail servers know when they need to check for updates.

The second piece is the actual policy file. It's hosted over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This is where you spell out the actual rules. The policy file contains things like whether you're in "enforce" mode (block unencrypted mail) or "testing" mode (allow it but report problems). It lists which mail servers are authorized to receive email for your domain. It specifies how long other servers should cache your policy before checking again.

But Here's why both pieces matter. The DNS record tells incoming mail servers "Look, there's a policy over here." Then they fetch the policy file over HTTPS. HTTPS has certificate validation built in, so attackers can't fake the policy. This prevents attackers from intercepting or modifying your policy.

If you've already got DMARC set up, you're halfway there on the authentication front. MTA-STS isn't a replacement for DMARC, DKIM, or SPF. It's an enforcement layer on top. You need all of them working together.

To get started, check if your domain already has these components. Use our MTA-STS Checker to see whether your DNS record and policy file are correctly published and accessible.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a setup checklist for your domain.

I read this about MTA-STS components: "MTA-STS has two parts. A DNS TXT record at _mta-sts.yourdomain.com announces the policy. A policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt contains the actual rules." Help me understand what I need to set up: 1. Do I need to create both the DNS record and the policy file? 2. What should the policy file contain for my domain? 3. Where do I host the policy file? 4. How do I verify both are set up correctly? --- My details (fill in what applies): - Domain registrar: GoDaddy, Cloudflare, Namecheap, etc. - DNS provider: same as registrar / Cloudflare / Route53 / other - Web hosting: where is my HTTPS site hosted? - Already have SPF/DKIM/DMARC: yes/no/partially

Edit the yellow boxes, then send to the AI of your choice.