SMTP MTA Strict Transport Security (MTA-STS)

SMTP MTA Strict Transport Security (MTA-STS) (defined in RFC 8461) provides a way for domain owners to tell email services that they should only send email to their domain over a verified TLS connection to specific email servers. This prevents man-in-the-middle attacks if the sending server supports the standard and the policy is set to enforce, similar to how HTTP Strict Transport Security (HSTS) works for web servers. With MTA-STS, the use of TLS can be enforced for incoming email from servers that support MTA-TLS without disabling port 25 and breaking applications that use STARTTLS opportunistic encryption to send email.

Deployment of MTA-STS consists of a TXT DNS record, and a policy file hosted at a specific HTTPS URL. The TXT DNS record must be located at the subdomain _mta-sts. The record must start with v=STSv1; and include a unique alphanumeric ID. The ID is used to track policy updates, so senders can see if a policy has changed. By convention, this is usually a timestamp. For example, v=STSv1; id=20160831085700Z;.

The MTA-STS policy file must be located at https://mta-sts.example.com/.well-known/mta-sts.txt, replacing example.com with the actual domain.

The MTA-TLS policy file uses key:value pairs, one per line:

A table of MTA-STS policy keys and descriptions
Key	Description
version	Currently, only `STSv1` is supported
mode	One of: `enforce`: In this mode, Sending mail servers must not deliver the email to hosts that fail MX matching or certificate validation or that do not support `STARTTLS`. `testing`: In this mode, sending email servers that support TLSRPT should send a failure report and deliver then the email as normal. `none`: In this mode, Sending email servers should treat the domain as though it does not have any active policy.
max_age	Max lifetime of the policy (plaintext non-negative integer seconds, maximum value of `31557600`, which is about one year). Well-behaved clients should cache a policy for up to this value from the last policy fetch time. To mitigate the risks of attacks at policy refresh time, it is expected that this value typically be in the range of weeks or greater.
mx	A pattern of allowed MX hostnames, each on its own line. A single `` can be used as a wildcard on the left side for subdomains, and a policy file may have multiple `mx` lines. For example: mx: mail.example.com mx: .example.net

Here is a complete example policy file:

        version: STSv1
        mode: enforce
        mx: mail.example.com
        mx: *.example.net
        mx: backupmx.example.com
        max_age: 604800

Start out with a policy in testing mode, use this website to validate the policy, and briefly monitor TLS reporting for any legitimate failures. If no such failures are found, change the mode in the policy file to enforce, and update the id value in the _mta-sts TXT DNS record. The id value must be updated after any change, such as modifying mx values in the policy.

Note: Subdomains do not inherit MTA-TLS policies from their parent domain (RFC 8461 § 3.4).
Any subdomains that are used to receive email must have MTA-TLS configured separately.

SMTP TLS Reporting (TLSRPT)

SMTP TLS Reporting (Referred to in the spec as TLSRPT, though often called TLS-RPT elsewhere) is a mechanism (defined in RFC 8460) for sending email servers to provide statistics to domain owners about failures to establish TLS connections for SMTP. This allows domain owners to proactively identify TLS misconfigurations and man-in-the-middle attacks. Many commercial and open source DMARC parsing providers also support parsing TLSRPT reports, including ParseDMARC.

Note: Some mail servers only send reports after failures.

To set up TLSRPT, simply publish a TLSRPT policy as a DNS TXT record at the subdomain _smtp._tls. Like DMARC and MTA-STS DNS records, this DNS record consists of tag=value pairs separated by semicolons.

A table of TLSRPT policy tags and descriptions
Tag	Description
v	Version (Required) This tag must be first and value must be `TLSRPTv1`.
rua	(Required) A comma separated list of email addresses (prefixed with `mailto:`) and/or HTTPS URLs to send reports to. Note: some providers recommend using `mailto:` rather than `HTTPS` for easier authentication.

Here is the schema of a TLSRPT report.

 {
   "organization-name": organization-name,
   "date-range": {
     "start-datetime": date-time,
     "end-datetime": date-time
   },
   "contact-info": email-address,
   "report-id": report-id,
   "policies": [{
     "policy": {
       "policy-type": policy-type,
       "policy-string": policy-string,
       "policy-domain": domain,
       "mx-host": mx-host-pattern
     },
     "summary": {
       "total-successful-session-count": total-successful-session-count,
       "total-failure-session-count": total-failure-session-count
     },
     "failure-details": [
       {
         "result-type": result-type,
         "sending-mta-ip": ip-address,
         "receiving-mx-hostname": receiving-mx-hostname,
         "receiving-mx-helo": receiving-mx-helo,
         "receiving-ip": receiving-ip,
         "failed-session-count": failed-session-count,
         "additional-information": additional-info-uri,
         "failure-reason-code": failure-reason-code
         }
       ]
     }
   ]
 }