Why is certificate expiration a problem?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've set up MTA-STS in 'enforce' mode, and your HTTPS certificate's going to expire next month. Here's what happens when it does.
Sending servers are already caching your MTA-STS policy. That policy says: "Use only secure connections to deliver to my domain." When they try to connect and find an expired certificate, they fail the security check. There's no graceful fallback, no retry, no second chance. They bounce your email back to the sender with a delivery failure. Your mail doesn't get through.
The trap is the caching layer. Even after you renew your certificate, those sending servers are still holding an old cached copy of your policy. If your `max_age` was set to a week, every mail server out there is sitting on that old policy for another few days. Some of them will try to connect during that window and hit the expired cert again.
So The fix sounds simple but it's critical: monitor your certificate expiration dates closely and renew at least two weeks before they expire. Use automated certificate renewal (Let's Encrypt handles this for free) so you never have to think about it again.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.