This article walks you through how to set up MTA-STS hosting and TLS reporting (TLSRPT) in Valimail Enforce, step by step. Keep in mind that hosting is only available for Enforce users.
Right now, Valimail supports CNAME-based delegation for hosted MTA-STS discovery and TLS Reporting. Support for NS delegation is planned for a future release.
If you are using Valimail Monitor and want to configure TLS reporting, please follow the instructions outlined here.
Step-by-Step Instructions
To leverage Valimail Enforce to host the MTA-STS policy and TLSRPT record, you'll need to publish the 3 CNAME records below. After publishing the records, the policy needs to be configured in the Enforce domain configuration page (instructions below the DNS records).
1) Create the MTA-STS discovery CNAME
Purpose: Let senders discover your MTA-STS policy ID via DNS.
Host/Name: _mta-sts.<yourdomain>
Type: CNAME
Target: <yourdomain>._mta-sts.vali.email
TTL: 3600
2) Point mta-sts.<domain> to Valimail for hosted policy
Purpose: When Valimail hosts your HTTPS policy file, this CNAME sends browsers/MTAs to Valimail’s policy host.
Host/Name: mta-sts.<yourdomain>
Type: CNAME
Target: policy.mta-vali.email
TTL: 3600
3) Create the SMTP TLS Reporting (TLSRPT) CNAME
Purpose: Publish where you want TLS reports to be aggregated.
Host/Name: _smtp._tls.<yourdomain>
Type: CNAME
Target: <yourdomain>._smtptlsrpt.vali.email
TTL: 3600
Some DNS UIs refer to the left-hand side of the record as "name”, “host”, or even “file name”. Create exactly the names above and do not append your domain again if the UI auto-suffixes it.
After publishing the 3 CNAME records, you'll need to configure the MTA-STS policy following these steps:
1. Open Enforce and log in.
2. Go to DOMAINS in the side menu.
3. Click on the domain you want to configure the MTA-STS policy for.
4. Click on the MTA-STS Policy.
5. Select Policy Mode.
Testing - Recommended when first setting up MTA-STS. Sending MTAs that also implement the TLSRPT (TLS Reporting) specification send a report indicating policy application failures (as long as TLSRPT is also implemented by your domain); in any case, messages may be delivered as though there were no MTA-STS validation failure.
Enforce - Sending MTAs MUST NOT deliver the message to hosts that fail MX matching or certificate validation or that do not support STARTTLS.
None - Sending MTAs should treat the Policy Domain as though it does not have any active policy. No TLS reports will be generated.
6. Add the MX Hosts. In case your Domain has multiple MX hosts, they all need to be added one by one.
7. Set Max Age.
8. Click SAVE.
HTTPS Policy File (.well-known/mta-sts.txt)
Senders must fetch your policy over HTTPS at:
If Valimail hosts it: ensure step 3’s CNAME exists and has propagated.
Sample policy:
version: STSv1
mode: enforce
mx: *.valimail.com
max_age: 604800
When you change the policy, ensure the DNS policy ID updates (Valimail auto-bumps the _mta-sts ID when we host discovery), so senders re-fetch.
Troubleshooting
Symptom | Likely Cause | How to Fix |
NXDOMAIN for _mta-sts.<domain> or _smtp._tls.<domain> | CNAME not created or wrong host label | Add the CNAME with the exact host names above; watch for typos or UI auto-suffixing. |
TXT returns nothing / still old value | DNS not propagated/cached | Lower TTLs during rollout; wait for caches to expire; verify from multiple resolvers. |
Policy fetch returns HTML, a 3xx redirect, or cert error | Web host misconfigured | Serve plain text at the exact path over valid HTTPS; remove redirects/parking pages. |
Senders ignore the updated policy | Policy ID not refreshed | Ensure the _mta-sts TXT shows a new ID after changes (Valimail updates this if hosting). |
CNAME chain fails | Target typo or missing target zone | Confirm target ends with .vali.email. (or the exact onboarding target); no extra dots or missing labels. |
NS record delegation is planned for a future release. Use CNAME records for now to host MTA-STS and TLS Reporting in Enforce.