Easiest Way To Publish mta-sts.txt For Free
Mail Transfer Agent - Strict Transport Security (MTA-STS) increases the security of your email infrastructure by enforcing encryption.
It ensures STARTTLS is used when communicating with other SMTP servers to deliver email messages. Although large organizations like
Google, Yahoo, and Microsoft have been using MTA-STS for years, many organizations are still waiting to jump on the bandwagon. One reason
for waiting on the sidelines is the difficulties of publishing mta-sts.txt document on a website. This page demonstrates a straightforward
method for accomplishing this task.
Requirements for MTA-STS
In short, you need the following:
- Two TXT records are needed in your DNS server:
_smtp._tls.yourdomain.com - This is optional and is needed to process reports sent by other servers.
- A text file called
mta-sts.txt needs to be published.
Challenges in publishing mta-sts.txt
Configuring the DNS server with two TXT is trivial. The challenging part is publishing
mta-sts.txt file and the primary reason preventing companies from adopting MTA-STS. These challenges arise from the following reason:
- The URL for this document must be
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. For example, here are the documents for Google, Microsoft, and Synametrics.
- This document is served using HTTPS on port 443.
- The host name in the URL is
mta-sts.yourdomain.com. Therefore, either you use a wildcard or a multi-domain certificate.
- It needs to use a trusted SSL certificate that is not expired.
The above requirements means companies have to either invest in maintaining a web server that only serves one document, and purchase additional SSL certificates or outsource this publishing to a service provider.
Easiest Way To Publish
Xeams provides a very simple and straightforward way of publishing
mta-sts.txt file through its web server. Following tasks are performed in the background:
- A suggested content for
mta-sts.txt is created for you.
- This text file is automatically served on the expected path:
- Values for TXT records are DNS are suggested for your domain and pushed to your DNS server with just a few mouse clicks, provided you have integrated a DNS provider.
- A CNAME record is added in the DNS so
mta-sts.yourdomain.com points to the name where your MX is pointing.
- A multi-domain SSL certificate is created using Let's Encrypt.
- TLS-Reports sent to your server are accepted, processed and summarized automatically.
All of the above tasks are configured using simple mouse clicks, tremendously reducing the efforts involved in publishing a MTA-STS policy for your domain. Refer to this document for details. Click below to watch a short video demonstrating these steps.
There are a few prerequisites before publishing the MTA-STS policy for your domain:
- You will need to install Xeams on a machine, either inside your LAN or somewhere on the cloud. For example, a VPS server or AWS Marketplace. The Community Edition will suffice.
- You will have to configure Xeams to listen on port 443 for HTTPS and will have to enable STARTTLS.
- Integrate DNS your provider with Xeams. This will make pushing TXT to your DNS server easier. You will have to configure DNS manually if this option is not enabled or is not available for your provider.
- Enable Let's Encrypt. You will have to use either a wildcard certificate or a multi-domain certificate if this option is not enabled.
- After logging in to the web interface as an administrator, click Reports/MTA-STS & TLS-Reporting
- Select the desired domain name and click the Display button. If the domain name is not listed, go to Server Configuration/SMTP Configuration to add a new domain.
- The following page will display four steps and there completion status.
- Step 1, 3, and 4 are straightforward. Xeams will create the necessary value for the two TXT records and will display a button to add them into your DNS server, provided DNS provider is integrated.
- Click the Publish Now button to finish step# 2. This step has a few sub-steps, which will be displayed on the following page:
- Adding either an "A" record or a "CNAME" record for
mta-sts.yourdomain.com. This step is necessary so other servers know where to go for
https://mta-sts.yourdomain.com. You will see a button to add this record to your DNS server.
- Updates to DNS server can take some time. Therefore, wait a few minutes to ensure the CNAME record is available before you go to next step.
- Create SSL certificate. Recreate the certificate by clicking the Recreate button. Xeams will automatically create a new certificate with the addional host names for
mta-sts. If you're using Let's Encrypt, you will have to use a wildcard or a multi-domain certificate.
- Finally, restart Xeams so the new SSL certificate is applied.
Once done, open a browser and try fetching
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. You should see the policy file.