Skip to main content

How to set up TLS reporting and MTA-STS

This article will explain how to set up TLS reporting in Valimail, as well as the MTA-STS policy set up in the DNS

Updated over 2 weeks ago

TLS Reporting

TLS (Transport Layer Security) is a system that allows domain owners to obtain automated feedback on email delivery problems linked to TLS encryption. TLS reporting plays a crucial role in protecting emails during transmission by encrypting the connection between mail servers.

In order to have TLS reports ingested in Valimail, the following record must be published:

Publish a TXT record

HOST(aka Name or Address)

_smtp._tls.yourdomain.com

VALUE(aka Data, Content, or Text)

v=TLSRPTv1; rua=mailto:[email protected]

We recommend a TTL of 300 seconds.

That being said, several other steps are required to take full advantage of TLS.

MTA-STS

TLS reporting is often used together with Mail Transfer Agent Strict Transport Security (MTA-STS). A well-recognized internet standard that enhances the security of connections between SMTP (Simple Mail Transfer Protocol) servers is the SMTP Mail Transfer Agent-Strict Transport Security (MTA-STS). MTA-STS addresses current challenges in SMTP email security by mandating the use of TLS encryption during transmission.

In a nutshell, MTA-STS lets sending servers know if they should reject or accept a message when a TLS connection cannot be established as expected.

In order to set up a policy for MTA-STS, a text file will need to be fetched from your website, and another DNS record must be published.

The mentioned DNS record must be published as such:

HOST(aka Name or Address)

_mta-sts.yourdomain.com

VALUE(aka Data, Content, or Text)

v=STSv1; id=(a random ID of 32 alphanumerical charaters);

The policy itself will be set in the file previously mentioned. This file should be fetched from your website and should have the following address:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

As the link suggests, the file should be found under a domain directory called ".well-known" with the file name: mta-sts.txt

The file format should contain:

"version: STSv1

mode: testing

(This is where the policy is. For now, we recommend the "testing" policy be used until you are comfortable switching to "enforce")

mx:(you should add all your mx records in this format)

mx:(one at a time as seen here)

max_age:604800 "

(This value should be between 86400 and 31557600, which represents 1 day to 1 year) The value shown here is the recommended value of 7 days

Please note that anytime you wish to change the MTA-STS policy, the ID in the previously mentioned DNS record needs to be updated to a new, unique value

In order to publish the file on your website, you will have to have a webserver and purchase an SSL certificate.

We are also working on a feature that will allow you to instead host the MTA-STS policy in Valimail in the future. Feel free to check our "NEW AND UPCOMING FEATURES" tab inside the Valimail platform.

Related Articles
Beamery
Greenhouse
L-Soft EASE
Ambassador
Kaseya
Did this answer your question?