Red Sift’s email protocol configuration guide

image
Explore our guide
In this chapter
In this chapter

Learn about MTA-STS and TLS

What is MTA-STS?

Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies to sending servers that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals. MTA-STS adoption has grown significantly, with organizations in 2026 recognizing transport layer security as essential for protecting email in transit.

How does it work?

For receiving domains to enable MTA-STS, they must announce that they support MTA-STS in their DNS and publish a policy configuration file on their website. This lets the sending mail servers (that support MTA-STS) know that they should only use TLS (1.2 or higher) connections when sending emails to the receiving domain’s mail servers. MTA-STS requires the use of STARTTLS (a protocol that tells an email server that an email client wants to upgrade from an insecure to a secure connection) for messages to successfully be sent and received.

MTA-STS also lists what the MX records for the domain are therefore preventing DNS query interception where a malicious party could redirect to another MX record. If a sending mail server does not perform MTA-STS validations, emails will still be delivered as normal, and TLS will be used if the sending mail server chooses to use it. 

MTA-STS policy modes

Activating MTA-STS must be done carefully to mitigate blocking emails from being delivered. To avoid this risk, MTA-STS should first be deployed in testing mode, allowing time for TLS reports to provide insight into any errors that need fixing before progressing to the final enforce stage. At this stage, the use of TLS is enforced, and MTAs that support MTA-STS will only deliver email over an encrypted and authenticated connection. TLS reporting (TLS-RPT) is then needed to notify domain owners when delivery fails due to TLS issues. This phased approach will likely become standard practice in 2026 for organizations implementing transport security.

What is TLS reporting?

How do we know that sending MTAs is failing MTA-STS? Much like DMARC, the answer is emailed reports. Enter SMTP TLS reporting (or TLS-RPT for short). It enables reporting of TLS connectivity problems experienced by the sending MTAs and is defined in RFC8460. These reports include detected MTA-STS policies, traffic statistics, successful and unsuccessful connections, and failure reasons. 

When you enable TLS-RPT, you will receive daily reports highlighting any emails that were sent without a secure connection and failed to be sent to you. Only with this insight can you identify and fix the issues within your mail server and ensure your inbound mail is not being blocked.

Set up MTA-STS and TLS-RPT

This sub-chapter will show you how to deploy MTA-STS and TLS-RPT on your own. 

Deploying MTA-STS is relatively straightforward once you understand the components involved. Here’s an overview of what we’ll cover:

  1. Draft and publish the policy on a public, secured web server
  2. Enable SMTP TLS-RPT via a TXT record
  3. Signal MTA-STS support via a TXT record

Before you start the deployment, if you manage your own email server, make sure your MX records accept inbound TLS connections (according to Google’s Transparency report, about 90% of servers currently do), make sure the servers in your MX records use TLS version 1.2 or later, and that the MX server TLS certificates:

  • Match the domain name used by the inbound mail server (the server in your MX records)
  • Are signed and trusted by a root certificate authority
  • Are not expired

These last three go hand in hand and are very likely already managed by your email host. You should only have to worry about them if you host your own mail server; if you use a third-party hosted service like G Suite, Microsoft 365, Fastmail, etc, these steps are already done for you.

1. Draft and publish the policy on a public, secured web server

Now, to start the deployment, we will proceed to draft the policy. The policy itself is pretty straightforward; here’s a sample policy:

version: STSv1
mode: testing
mx: aspmx.l.google.com
mx: alt1.aspmx.l.google.com
mx: alt2.aspmx.l.google.com
mx: *.googlemail.com
max_age: 604800

The important bits are mode, mx and max_age, as version will (for now) always be the same.

Mode can be none, testing or enforce.

  • none disables MTA-STS
  • testing tells external servers sending to you to evaluate the policy, and requests reports (via TLS-RPT), but does not enforce connection security required by MTA-STS.
  • enforce tells external servers to verify they’re connecting to an MX listed in the policy, and that the SMTP connection is both encrypted (using TLS) and authenticated (that the server has a valid, signed certificate).

If the connection is not both encrypted and authenticated:

  • Servers that support MTA-STS will not send mail to your domain.
  • Servers that don’t support MTA-STS continue to send messages to your domain over SMTP connections as they normally do, but they may not be encrypted.

We recommend keeping the policy in testing mode for at least a month. That way you can get familiar with MTA-STS and fix any issues that may be brought up by the STS reports, if any. Organizations in 2026 typically spend 2-4 weeks in testing mode before progressing to enforcement.

mx lists the MX records that serve email for the domain. In almost all cases, it’s the same records you already have published in your DNS.

To specify servers that match a naming pattern, use a wildcard. The wildcard character replaces one leftmost label only, for example .domain.com or .mail.domain.com.

max_age is the amount of time the sending MTA will cache the policy. The RFC suggests a value of 1 or 2 weeks (between 604800 and 1209600 seconds), but it can be anything.

Now that we have the policy drafted, we need to publish it. The policy has to be uploaded to a public-facing web server and it must be served over HTTPS with a signed, trusted certificate (eg: Let’s Encrypt).

  • Add a subdomain to your domain in the form of mta-sts.domain.com and point it to the web server
  • Create a directory named .well-known.well-known in the subdomain.
  • Upload the policy file you created to the .well-known.well-known directory with mta-sts.txtmta-sts.txt as the file name.

Your policy should be available at https://mta-sts.domain.com/.well-known/mta-sts.txt

2. Add the reporting address to your DNS

Now, the last step consists of adding two DNS records: one for TLS-RPT and one to signify that you support MTA-STS and they’re both simple TXT records.

Let’s start with TLS-RPT. To receive reports you will need a mailbox where you will receive them, or you can point them to your OnDMARC address (the same as for your DMARC record) and we'll parse and display them for you.

The first TXT record should be added like this:

smtp.tls.example.com. 900 IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"

Host: smtp.smtp.tls

TTL: 900 (or your default value)

Value: v=TLSRPTv1; rua=mailto:tlsrpt@example.com

3. Signal MTA-STS support via a TXT record

Lastly, we need to publicize our support for MTA-STS. The TXT record should be added as follows:

_mta-sts.example.com. 900 IN TXT "v=STSv1; id=1575556993"

Host: _mta-sts (note the underscore at the beginning)

TTL: 900 (or your default value)

Value: v=STSv1; id=1575556993

Update the id to a new value every time you change your MTA-STS policy. External servers use the id value to determine when your policy changes. We usually use the epoch timestamp for the id value, it’s unique enough and lets you know when was the last time it was changed.

And that’s it! You’ve enabled both MTA-STS and TLS-RPT, and you’re on your way to supporting secure, un-tampered SMTP transmissions. 

How do you know that sending MTAs are failing MTA-STS?

Much like DMARC, the answer is in emailed reports. These reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and failure reasons.

Enter SMTP TLS Reporting (or TLS-RPT for short). It enables reporting of TLS connectivity problems experienced by the sending MTA’s and is defined in RFC8460.

Is there an easier way to deploy MTA-STS?

The short answer is yes. With Red Sift OnDMARC’s MTA-STS feature, you don’t need to worry about complex deployment. Simply add the MTA-STS Smart Records OnDMARC provides to your DNS and we do all the hard work for you such as hosting the MTA-STS policy file, maintaining the SSL certificate, and flagging any policy violation through the TLS report. Modern DMARC platforms in 2026 increasingly include hosted MTA-STS as a standard feature, simplifying transport security deployment.

Once MTA-STS has been enabled, you can use OnDMARC’s TLS Reports to gain clear insight into the volume of emails received over a given period and how many of them have experienced domain successes and failures. You can easily uncover more details about a specific domain’s success or failure, such as a missing or expired certificate. This granularity tells you exactly what needs fixing for you to progress to an MTA-STS enforce mode and fully secure your inbound emails.

email set up imageemail set up image
Email set up correctly? Find out free in under a minute

Frequently asked questions: Email protocol configuration guide

What is the difference between SPF hard fail (-all) and soft fail (~all), and which should I use in 2026?

In a pre-DMARC era, SPF records commonly used the "-all" mechanism to strictly enforce sender policies. However, current industry guidance in 2026 favours "~all" to balance security and deliverability, avoiding unnecessary rejection of valid emails that might fail SPF but pass DKIM and DMARC.

This is because "~all" when implemented in combination with DMARC (at p=reject) will still reject unauthenticated mail if SPF and DKIM fail, but does not block legitimate mail, thus enhancing overall email deliverability.

The DMARC specification (RFC 7489) states that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Use "-all" for inactive, non-email sending domains only (domains that send no emails at all). DMARC ignores the nuances of soft fail and hard fail in SPF configuration, treating them as SPF failures.

How does DMARC alignment work and what is the difference between strict and relaxed alignment?

DMARC does not only require SPF or DKIM to PASS but it also requires at least one of the domains used by SPF or DKIM to align with the domain found in the From header. Proper alignment is critical for email deliverability in 2026, as major inbox providers enforce these requirements.

In the case of SPF, identifier alignment means that the MAIL FROM/Return-PATH check has to PASS and also the domain portion of the MAIL FROM/Return-PATH has to align with the domain found in the From address. In strict alignment, the domains have to match exactly, whereas in relaxed alignment subdomains are also allowed as long as they come from the same organisational domain.

For example, if MAIL-FROM/RETURN-PATH is @ondmarc.com and From header is @knowledge.ondmarc.com, in strict alignment they are not aligned. However, in relaxed alignment mode, DMARC would pass.

What are DMARC aggregate reports and forensic reports, and how do they differ?

A DMARC aggregate report contains information about the authentication status of messages sent on behalf of a domain. It is an XML feedback report designed to provide visibility into emails that passed or failed SPF and DKIM. The report provides domain owners with precise insight into which sources are sending on your behalf and the disposition of those emails (the policy that was applied by the receiver).

Recipients will look at the 'rua' tag of your DMARC record and send reports there. You can specify the aggregate reporting interval by using the ri tag in your DMARC record (by default, this is set to 86400 seconds which equates to 24 hours). Forensic reports contain more detailed information about individual authentication failures. Any personally identifiable information (PII) is removed, but information that will help in troubleshooting the DMARC failure is included, such as SPF and DKIM header failure information, the entire From address, and the Subject of the email.

The address to receive Forensic DMARC reports is specified by the 'ruf' tag in your DMARC record. Not all receiving systems support sending forensic reports. Red Sift OnDMARC is one of the only DMARC applications on the market that receives forensic reports thanks to its partnership with Yahoo.

What are SPF macros and why might they cause deliverability issues?

An SPF macro refers to a mechanism used in SPF records to define reusable sets of IP addresses. SPF macros enhance the flexibility and maintainability of SPF records by allowing you to define complex sets of IP addresses in a single mechanism, which can then be referenced within multiple SPF records. For example, instead of listing individual IP addresses for each authorised email server, you can define a macro like "%{i}" which calls the sender IP of the email. Managing SPF this way allows you to control a large list of IPs without hitting the SPF lookup limit, and also obscures which IPs you approve for public querying.

However, depending on how the SPF record with macros is structured, the lack of macro expansion could result in SPF failures or 'Neutral' results (denoted by the ?all mechanism). If SPF macros play a critical role in authorising legitimate sending servers, emails might be more likely to fail SPF checks or be marked as suspicious by email receivers that rely on SPF for authentication.

What is MTA-STS and how should it be deployed to avoid blocking email delivery?

Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies to sending servers that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals.

MTA-STS adoption has grown significantly, with organisations in 2026 recognising transport layer security as essential for protecting email in transit. For receiving domains to enable MTA-STS, they must announce that they support MTA-STS in their DNS and publish a policy configuration file on their website.

Activating MTA-STS must be done carefully to mitigate blocking emails from being delivered. MTA-STS should first be deployed in testing mode, allowing time for TLS reports to provide insight into any errors that need fixing before progressing to the final enforce stage. This phased approach will likely become standard practice in 2026 for organisations implementing transport security.

What is TLS-RPT and how does it work with MTA-STS?

SMTP TLS Reporting (or TLS-RPT for short) enables reporting of TLS connectivity problems experienced by the sending MTAs and is defined in RFC8460. Much like DMARC, TLS-RPT relies on emailed reports to notify domain owners when delivery fails due to TLS issues. These reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and failure reasons.

With Red Sift OnDMARC's MTA-STS feature, you don't need to worry about complex deployment. Simply add the MTA-STS Smart Records OnDMARC provides to your DNS and Red Sift does all the hard work such as hosting the MTA-STS policy file, maintaining the SSL certificate, and flagging any policy violation through the TLS report. Modern DMARC platforms in 2026 increasingly include hosted MTA-STS as a standard feature, simplifying transport security deployment.

What is DANE and how does it differ from MTA-STS?

Published under RFC 7671, DANE (DNS-based Authentication of Named Entities) introduces a new Internet standard for setting up TLS communication between a client and a server, without having to rely on trusted Certificate Authorities (CAs).

The traditional CA model TLS has depended on allows any CA to issue a certificate for any domain. DANE does things differently by relying on the DNSSEC infrastructure (Domain Name System Security Extensions) to bind a domain name to a certificate. DANE makes use of the already existing DNSSEC protocol to make sure the data it receives is authentic and has not been tampered with.

DANE also introduces a new DNS RR type called TLSA which helps to signal to the client that a server supports TLS. The recommendation is to implement both MTA-STS and DANE. DANE is a requirement from many governments, so public agencies in the EU are often required to implement it.

DANE and MTA-STS help only if the sender supports it, however, many senders only support one or the other so implementing both improves security overall. Organisations in 2026 often deploy MTA-STS first for broader compatibility, then add DANE for enhanced security where required.

What is the purpose of the DMARC subdomain policy (sp tag) and how should it be used?

The subdomain policy allows domain administrators to protect different domains and subdomains based on how far they are along the DMARC journey. For example, if all your email-sending services sending emails on behalf of your top-level domain are fully configured with SPF and DKIM, that means that you can protect your top-level domain with a DMARC policy of p=reject whilst keeping the subdomains in p=none, and vice versa.

Also, if you have an email-sending service that is non-DMARC compliant (does not support SPF or DKIM), you may decide to assign a subdomain to it and have that subdomain in a different DMARC policy, without preventing you from protecting your other domains. This allows you to split the traffic across different subdomains and protect each one separately.