MailShield Docs

Appearance

MTA-STS Hosting

MailShield can host your MTA-STS policy, simplifying the deployment of strict transport security for email.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that:

  • Enforces TLS encryption for email delivery
  • Prevents downgrade attacks
  • Protects against man-in-the-middle attacks
  • Requires certificates to be valid

Learn more about MTA-STS →

Why Use MailShield Hosting?

Without MailShield

To deploy MTA-STS, you need:

  1. A DNS TXT record at _mta-sts.yourdomain.com
  2. A web server at mta-sts.yourdomain.com
  3. Valid HTTPS certificate
  4. Policy file at /.well-known/mta-sts.txt
  5. Ongoing maintenance and monitoring

With MailShield

MailShield handles:

  • ✅ Policy file hosting
  • ✅ HTTPS certificate management
  • ✅ High availability
  • ✅ Policy validation
  • ✅ Monitoring and alerts

You only need:

  • DNS records pointing to MailShield

Setting Up MTA-STS Hosting

Step 1: Configure Your Policy

  1. Navigate to Domain → MTA-STS
  2. Click Configure MTA-STS
  3. Set your policy options:
OptionDescription
Modetesting or enforce
MX HostsYour mail servers
Max AgeCache duration (seconds)

Step 2: Add DNS Records

Add these DNS records:

TXT Record:

_mta-sts.yourdomain.com.  TXT  "v=STSv1; id=your-policy-id"

CNAME Record:

mta-sts.yourdomain.com.  CNAME  mta-sts.mailshield.app.

TIP

The policy ID should change whenever you update your policy. MailShield generates this automatically.

Step 3: Verify Configuration

  1. Click Verify in MailShield
  2. MailShield checks:
    • DNS records are correct
    • Policy is accessible
    • Policy ID matches
  3. Status shows as "Active" when complete

Policy Options

Mode

ModeBehavior
testingSenders should report failures but still deliver
enforceSenders must use TLS or reject delivery

Recommended approach:

  1. Start with testing mode
  2. Monitor TLS-RPT reports for failures
  3. Fix any issues discovered
  4. Switch to enforce mode

MX Hosts

List the mail servers that should receive email:

mx: mail.yourdomain.com
mx: mail2.yourdomain.com
mx: *.mail.yourdomain.com

Important:

  • Include all MX hosts
  • Wildcards are supported (*.example.com)
  • Hosts must match your MX records

Max Age

How long senders should cache the policy:

DurationSecondsUse Case
1 day86400Testing, frequent changes
1 week604800Standard operation
1 month2592000Stable configuration

Recommendation: Start with 1 day during testing, increase after stabilization.

Policy File Format

MailShield generates and hosts a policy file like:

version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: mail2.yourdomain.com
max_age: 604800

This file is served at:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Monitoring

MailShield monitors your MTA-STS configuration:

Validation Checks

  • DNS record exists and is correct
  • Policy file is accessible
  • Policy ID matches DNS record
  • MX hosts match your actual MX records
  • Certificate is valid

Alerts

Get notified when:

  • Policy becomes inaccessible
  • DNS record changes
  • Policy ID mismatch detected
  • Certificate issues arise

Updating Your Policy

When you need to change your MTA-STS policy:

  1. Update settings in MailShield
  2. MailShield generates a new policy ID
  3. Update your DNS TXT record with the new ID
  4. Wait for DNS propagation
  5. Senders will fetch the new policy

WARNING

Always update the DNS policy ID when changing the policy. Senders cache based on this ID.

TLS-RPT Integration

For complete visibility, also configure TLS-RPT:

_smtp._tls.yourdomain.com.  TXT  "v=TLSRPTv1; rua=mailto:YOUR-ID@reports.mailshield.app"

This enables:

  • Reports on TLS connection attempts
  • Failure notifications
  • Statistics on MTA-STS effectiveness

Troubleshooting

Policy Not Accessible

  1. Verify CNAME record is correct
  2. Check DNS propagation
  3. Ensure no conflicting A/AAAA records

Policy ID Mismatch

  1. Update DNS TXT record with current ID
  2. Wait for propagation (up to 48 hours)
  3. Re-verify in MailShield

MX Hosts Mismatch

  1. Update MX hosts in MailShield to match DNS
  2. Or update DNS MX records to match policy
  3. Use wildcards if needed

Certificate Errors

MailShield manages certificates automatically. If you see certificate errors:

  1. Verify CNAME is correct
  2. Wait for certificate provisioning
  3. Contact support if issues persist

Best Practices

  1. Start in testing mode to identify issues
  2. Configure TLS-RPT for visibility
  3. Monitor reports before enforcing
  4. Keep MX hosts updated when changing mail servers
  5. Use reasonable max_age - not too short, not too long

Secure your email infrastructure with confidence.

Copyright © 2026 MailShield