How is MTA-STS policy published and cached?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Publishing MTA-STS means putting your policy in two places at once, and that's where it gets tricky.
First, you publish a policy file to an HTTPS endpoint on your domain, specifically at `https://mta-sts.yourdomain.com/.well-known/mta-sts.txt`. This file contains your rules in plain text: which MX servers are allowed, whether you want 'testing' or 'enforce' mode, and a `max_age` value that tells other mail servers how long they can use a cached copy.
Second, you add a DNS TXT record at `_mta-sts.yourdomain.com` that points to your policy. This record acts like a map. Sending servers check DNS first, discover your policy lives at that HTTPS endpoint, then fetch it and cache it.
And Here's the catch with caching. Once a sending server grabs your policy, it holds onto it for whatever `max_age` you set (typically 86,400 to 604,800 seconds, so one to seven days). While it's cached, policy changes take time to propagate. If you fix something, not every sending server will see the update right away. See also: how MTA-STS protects your email.
Bottom line: Get your HTTPS certificate stable first, then publish. Test in 'testing' mode before switching to 'enforce', and set a `max_age` that gives you breathing room when you need to update.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.