MTA-STS Support?
Opened this issue · 2 comments
Hello,
I was just wondering if PurelyMail is MTA-STS capable. I've been been doing some digging and trying to find out if it is but been unable to nail down if it is. I saw another issue asking about DANE and DNSSEC but no mention of MTA-STS other than asking how DANE differs from it. I am in the process of finding a new email provider for my small business and migrating away from Zoho but i currently have MTA-STS enabled and just want to make sure that PurelyMail's servers are also capable for a smooth transition.
same here
MTA-STS doesn't really have anything to do with the mail provider itself beyond "does the mail server support a secure connection". Since PurelyMail does, you can use it, but you need to set it up yourself.
To do that, you need a subdomain named mta-sts
. So, for example, if you have a domain example.com
that you receive mail at, you'd need mta-sts.example.com
to exist as an A or CNAME record pointing to a web server that supports HTTPS on port 443. And then, on that domain, you need to host a file at https://mta-sts.example.com/.well-known/mta-sts.txt
that looks like this:
version: STSv1
mode: enforce
mx: mailserver.purelymail.com
max_age: 86400
mode
can be one of none
, testing
, or enforce
. none
is useful when you want to turn MTA-STS off, since other mail servers will probably cache the result of the an old policy, and if you want to stop using MTA-STS, you need to have a way to tell them to not use it. testing
will fall back to an unencrypted connection if needed but report the issue, and enforce
will require an encrypted connection.
After that, you need a TXT record that says you're using MTA-STS, along with a unique identifier that mail servers can use to determine when to pull a new copy of the policy. For example.com
, this could be a TXT record at _mta-sts.example.com
with contents of v=STSv1;id=1727646785Z
. v=STSv1
is mandatory, as there's only one version, and the id
parameter is required to exist, but just needs to be an alphanumeric value up to 32 characters. When you update your MTA-STS policy file, you need to update the id
to something else, so that mail servers know to fetch a fresh copy of the policy file.
If you want to get reports for e-mails that failed to get a TLS connection, you need one more DNS record. For example.com
, this would be _smtp._tls.example.com
with contents of v=TLSRPTv1;rua=mailto:someemailaddress@somedomain.com,https://somereportingthing.somedomain.com/apath/someendpoint
. v=TLSRPTv1
is mandatory, and rua
is required to point to one or more e-mail and/or web addresses to send the report to. Reporters aren't required to send the report to more than one location, though, so that's important to keep in mind. Also, for obvious reasons, it's probably not the best idea to have a reporting e-mail address on the same mail server that's being reported about if MTA-STS is on enforcing mode.