Skip to content

dns mta sts

Jump to bottom
Springcomp edited this page Feb 8, 2026 · 2 revisions

Overview

From Wikipedia https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security

SMTP MTA Strict Transport Security defines a protocol for mail servers to declare their ability to use secure channels in specific files on the server and specific DNS TXT records.

SMTP MTA Strict Transport Security is an extra step you can take to broadcast the ability of your instance to receive and, optionally enforce, TSL-secure SMTP connections to protect email traffic.

DNS configuration

Create an A record that points mta-sts.mydomain.com. to your server IP.

To verify, the following command:

dig @1.1.1.1 mta-sts.mydomain.com a

should return your server IP.

Create a TXT record for _mta-sts.mydomain.com. with the following value:

v=STSv1; id=UNIX_TIMESTAMP

With UNIX_TIMESTAMP being the current date/time.

Use the following command to generate the record:

echo "v=STSv1; id=$(date +%s)"

To verify if the DNS works, the following command:

dig @1.1.1.1 _mta-sts.mydomain.com txt

should return a result similar to this one:

_mta-sts.mydomain.com. 3600 IN TXT "v=STSv1; id=1689416399"

MTA-STS policy

The MTA-STS policy is served by Traefik using a static response at

https://mta-sts.mydomain.com/.well-known/mta-sts.txt

version: STSv1
mode: testing
mx: app.mydomain.com
max_age: 86400

This is configured using the followings service labels:

services:
  app:
    
    labels:
      ## static response for `mta-sts` subdomain
      - traefik.http.routers.mta-sts.rule=Host("mta-sts.${DOMAIN}") && PathPrefix("/.well-known/mta-sts.txt")
      - traefik.http.routers.mta-sts.service=noop@internal
      - traefik.http.routers.mta-sts.middlewares=mta-sts
      - traefik.http.middlewares.mta-sts.plugin.staticresponse.StatusCode=200
      - "traefik.http.middlewares.mta-sts.plugin.staticresponse.Body=version: STSv1\nmode: testing\nmx: ${SUBDOMAIN:-app}.${DOMAIN}\nmax_age: 86400"

  reverse-proxy:
    image: traefik:${TRAEFIK_VERSION:-latest}
    container_name: traefik
    
    labels:
      ## load plugin to support static response on "mta-sts" subdomain
      - --experimental.plugins.staticresponse.moduleName=github.com/jdel/staticresponse
      - --experimental.plugins.staticresponse.version=v0.0.1

Clone this wiki locally