This article provides step-by-step instructions for setting up MTA-STS hosting and TLS reporting in Valimail Enforce. Please note that hosting is available only to Enforce users.

Valimail currently supports CNAME-based delegation only for hosted MTA-STS discovery and TLS Reporting (TLSRPT). NS delegation is planned for a future release.

If you are using Valimail Monitor and want to configure TLS reporting, please follow the instructions outlined here.

Quick Reference: What You’ll Create

You’ll add up to three CNAME records to your external DNS zone:

#	Purpose	Host / Name	Type	Target / Value	TTL
1	MTA-STS discovery	_mta-sts.<yourdomain>	CNAME	<yourdomain>._mta-sts.vali.email	3600
2	SMTP TLS Reporting (TLSRPT)	_smtp._tls.<yourdomain>	CNAME	<yourdomain>._smtptlsrpt.vali.email	3600
3	Policy hosting (Valimail hosts HTTPS policy)	mta-sts.<yourdomain>	CNAME	policy.mta-vali.email	3600

Note: Some DNS UIs refer to the left-hand side of the record as "name”, “host”, or even “file name”. Create exactly the names above and do not append your domain again if the UI auto-suffixes it.

Step-by-Step Instructions

1) Create the MTA-STS discovery CNAME

Purpose: Let senders discover your MTA-STS policy ID via DNS.

Host/Name: _mta-sts.<yourdomain>

Type: CNAME

Target: <yourdomain>._mta-sts.vali.email

TTL: 3600

2) Create the SMTP TLS Reporting (TLSRPT) CNAME

Purpose: Publish where you want TLS reports to be aggregated.

Host/Name: _smtp._tls.<yourdomain>

Type: CNAME

Target: <yourdomain>._smtptlsrpt.vali.email

TTL: 3600

3) Point mta-sts.<domain> to Valimail for hosted policy

Purpose: When Valimail hosts your HTTPS policy file, this CNAME sends browsers/MTAs to Valimail’s policy host.

Host/Name: mta-sts.<yourdomain>

Type: CNAME

Target: policy.mta-vali.email

TTL: 3600

HTTPS Policy File (.well-known/mta-sts.txt)

Senders must fetch your policy over HTTPS at:

https://mta-sts.<yourdomain>/.well-known/mta-sts.txt

If Valimail hosts it: ensure step 3’s CNAME exists and has propagated.

Sample policy:

version: STSv1

mode: enforce

mx: *.valimail.com

max_age: 604800

When you change the policy, ensure the DNS policy ID updates (Valimail auto-bumps the _mta-sts ID when we host discovery), so senders re-fetch.

Verify (Production)

MTA-STS discovery TXT (behind your CNAME)
In the Command terminal, run the following line:
dig TXT _mta-sts.<yourdomain> +short
Expect: "v=STSv1; id=20240115120000001;"
TLSRPT TXT (behind your CNAME)
In the Command terminal, run the following line:
dig TXT _smtp._tls.<yourdomain> +short
Expect: "v=TLSRPTv1; rua=mailto:[email protected]"
HTTPS policy file (hosted by Valimail)
In the Command terminal, run the following line:
curl -s https://mta-sts.<yourdomain>/.well-known/mta-sts.txt
Expect plain text (no HTML, no redirects), e.g.:
- version: STSv1
- mode: enforce
- mx: *.valimail.com
- max_age: 604800

Troubleshooting

Symptom	Likely Cause	How to Fix
NXDOMAIN for _mta-sts.<domain> or _smtp._tls.<domain>	CNAME not created or wrong host label	Add the CNAME with the exact host names above; watch for typos or UI auto-suffixing.
TXT returns nothing / still old value	DNS not propagated/cached	Lower TTLs during rollout; wait for caches to expire; verify from multiple resolvers.
Policy fetch returns HTML, a 3xx redirect, or cert error	Web host misconfigured	Serve plain text at the exact path over valid HTTPS; remove redirects/parking pages.
Senders ignore the updated policy	Policy ID not refreshed	Ensure the _mta-sts TXT shows a new ID after changes (Valimail updates this if hosting).
CNAME chain fails	Target typo or missing target zone	Confirm target ends with .vali.email. (or the exact onboarding target); no extra dots or missing labels.