MTA-STS and TLS-RPT Explained

What are MTA-STS and TLS-RPT?

MTA-STS and TLS-RPT are email transport security standards. They do not authenticate the sender like SPF, DKIM, or DMARC. Instead, they protect the SMTP connection used when other mail servers deliver messages to your domain.
MTA-STS tells sending servers that mail for your domain should be delivered over TLS and only to approved MX hosts. TLS-RPT tells those senders where to report TLS delivery failures. In practice, MTA-STS enforces the policy and TLS-RPT gives you visibility when mail cannot be delivered securely.

MTA-STS Record

MTA-STS uses two pieces of configuration:
  • A DNS TXT record at _mta-sts.example.com
  • An HTTPS policy file at https://mta-sts.example.com/.well-known/mta-sts.txt

v=STSv1; id=20260319T000000

The DNS record is intentionally small. v=STSv1 identifies the protocol, and id= is a policy version string. When you change the HTTPS policy file, you update the id value so sending servers know they should fetch the new policy.
A typical MTA-STS policy file looks like this:
version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800
The mode controls enforcement. testing asks senders to observe the policy without strictly enforcing it, while enforce tells senders to require valid TLS and a matching MX host. The mx lines list the allowed mail servers, and max_age tells senders how long to cache the policy.

How MTA-STS Works

  1. Publish the DNS record: Add a TXT record at _mta-sts.yourdomain.com with v=STSv1 and an id value.
  2. Host the HTTPS policy: Serve a valid policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt over a publicly trusted certificate.
  3. Sending servers fetch and cache it: When another mail server delivers mail to your domain, it looks up the DNS record and may download the policy file.
  4. TLS and MX are validated: The sender checks that the TLS session is valid and that the MX host matches one of the names in your policy.
  5. Delivery is blocked if the policy cannot be met: In enforce mode, compliant senders should not deliver mail in cleartext or to an unexpected MX host.

TLS-RPT Record

TLS-RPT is published as a TXT record at _smtp._tls.example.com. Its main job is to tell senders where to send reports when they see TLS problems while delivering mail to your domain.

v=TLSRPTv1; rua=mailto:tls-reports@example.com,https://reports.example.com/tlsrpt

The required v=TLSRPTv1 tag identifies the protocol. The rua= tag lists one or more destinations for aggregate TLS reports, typically a mailbox or HTTPS endpoint that can process JSON reports.

How TLS-RPT Works

  1. Publish the reporting record: Add a TXT record at _smtp._tls.yourdomain.com with at least v=TLSRPTv1 and rua=.
  2. Remote senders attempt delivery: When mail is sent to your domain, the sending system attempts a TLS-protected SMTP session.
  3. Failures are recorded: If the certificate is invalid, STARTTLS fails, or the MX host does not satisfy MTA-STS, the sender can log that failure.
  4. Aggregate reports are sent: The sender periodically sends a report to the destinations in your rua tag so you can see transport security problems affecting delivery.
You can also verify whether your domain publishes these records with the domain check tool.

Recommended Articles