# Enforcing Mail Server TLS Connections Using MTA-STS To enforce TLS connections using MTA-STS (Mail Transfer Agent Strict Transport Security) you need to add two DNS TXT records and a subdomain containing the policy file. The two TXT records are: - `_mta-sts` containing `v=STSv1; id=202104012135;`. The `id` field is essentially a form of a hash of the policy file. It should change whenever the policy file changes. The convention is to use the last modified timestamp of the policy file - To enable TLS reporting you need to set `_smtp._tls` record containing `v=TLSRPTv1; rua=mailto:[email protected];` In addition you need a policy file accessible using SSL from `https://mta-sts.[example.org]/.well-known/mta-sts.txt` (implying another CNAME record). Example file: ``` version: STSv1 mode: enforce mx: mail.example.org mx: *.example.org mx: mail2.example.org max_age: 604800 ``` Mode should be `enforce` or `testing`. Each `MX` server should be listed. Max age is recommended to be a week or more but HEY.com is using a day + 1 second (86401). Same is true for both Gmail and Yahoo, but not Outlook. HEY.com's policy file: <body> <iframe style="background:white" src="https://mta-sts.hey.com/.well-known/mta-sts.txt"></iframe> </body> ## Sources - [[Mta-STS]]