Included with the Email Authentication add-on ($10/domain/month) — no separate charge.
1. What This Feature Does
MTA-STS (SMTP MTA Strict Transport Security, RFC 8461) lets your domain require that other mail servers use TLS encryption when they deliver mail to you, closing the door on downgrade and man-in-the-middle attacks. It has two parts: a DNS TXT record at _mta-sts.<yourdomain> and a policy file served over HTTPS at https://mta-sts.<yourdomain>/.well-known/mta-sts.txt. CertaDNS hosts the policy file, issues and renews the required TLS certificate, and publishes both records for you.
TLS-RPT (SMTP TLS Reporting, RFC 8460) is the companion: a TXT record at _smtp._tls.<yourdomain> that gives sending servers an address to email daily reports about TLS delivery successes and failures — your early-warning system for MTA-STS problems.
2. When You Should Use It
- You want inbound mail to your domain to require encrypted (TLS) delivery.
- You have completed SPF, DKIM, and DMARC and want to harden transport security next.
- You want visibility (via TLS-RPT) into how often mail to your domain fails to negotiate TLS.
3. When You Should Not Use It
- Your inbound mail is handled by a provider (such as Google Workspace or Microsoft 365) that already publishes and manages MTA-STS for your domain — adding a second policy would conflict.
- Your MX hosts cannot reliably negotiate valid TLS yet; start in testing mode rather than enforce so legitimate mail is not blocked.
- Your MX records are still changing frequently (a brand-new setup) — stabilize them first, since the policy lists your MX hosts.
4. Prerequisites
- The Email Authentication add-on on the domain (MTA-STS and TLS-RPT are included with it).
- Valid MX records for the domain — the policy references your mail hosts.
- SPF, DKIM, and DMARC already configured (recommended, not required).
5. How It Works (Brief)
When you enable MTA-STS for a zone, CertaDNS publishes the _mta-sts TXT record, generates and hosts the policy file, and issues the TLS certificate for mta-sts.<yourdomain>. Sending servers fetch the policy over HTTPS, cache it for its max-age, and apply the mode. Each policy carries an id; when you change the policy, the id updates so senders refresh. TLS-RPT publishes the _smtp._tls record so senders know where to mail their daily TLS reports.
6. How to Use It
- Open Email Authentication → MTA-STS and select a zone.
- Create the policy in testing mode. CertaDNS publishes the record, hosts the policy, and issues the certificate (this can take a few minutes).
- Enable TLS-RPT to start receiving daily reports.
- Review reports until TLS delivery is consistently successful, then switch the policy to enforce.
7. Inputs and Settings
| Setting | Description |
|---|---|
| Mode | testing, enforce, or none |
| MX hosts | The mail hosts the policy applies to (derived from your MX records) |
| Max age | How long senders cache the policy (seconds) |
| TLS-RPT address | Where TLS reports are sent (CertaDNS-managed or your own) |
8. Outputs and Results
- A published
_mta-stsTXT record and a hosted, certificate-backed policy file. - A published
_smtp._tlsrecord for TLS reporting. - Aggregate TLS reports summarizing successful and failed TLS connections from each sending source.
9. How to Interpret Results
- Status "ready": the record, policy, and certificate are live.
- TLS-RPT shows failures: some senders couldn't negotiate TLS — investigate before moving from testing to enforce.
- Clean reports over several days: safe to switch to enforce.
10. Common Issues and Explanations
- Policy file not reachable: the
mta-sts.<domain>host or its certificate isn't serving over HTTPS yet — give issuance a few minutes after enabling. - Stuck in testing: failures are reported but not enforced; move to enforce once your TLS-RPT reports are clean.
- No TLS reports arriving: the
_smtp._tlsrecord is missing — enable TLS-RPT.
11. Limits and Constraints
| Constraint | Value |
|---|---|
| MTA-STS & TLS-RPT | Included with the Email Authentication add-on ($10/domain/month) |
| Configurations per zone | 1 MTA-STS policy, 1 TLS-RPT record |
| Policy hosting & certificate | Managed by CertaDNS |
| Valid MX required | Yes |
12. Related Features
- DMARC Reporting, DKIM Key Management, and SPF Flattening — the authentication layer MTA-STS builds on.
- BIMI (Inbox Logo) — the visual brand layer once you are at DMARC enforcement.
- Free MTA-STS Checker — look up any domain's record, policy file, and TLS-RPT, no account required.
13. Updates and Behavior Changes
- MTA-STS and TLS-RPT are included with the Email Authentication add-on at no additional charge.
- CertaDNS hosts the policy file and manages the required TLS certificate, including renewal.