Invalid MTA-STS Record

Severity: Critical

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a security standard that enables email domains to declare that they support TLS (encrypted connections) for receiving email, and that sending servers should refuse to deliver email if a secure connection cannot be established.

Without MTA-STS, even if your mail server supports TLS, a man-in-the-middle attacker could downgrade the connection to unencrypted and intercept emails. MTA-STS prevents this by telling sending servers: "Only deliver email to me over a verified TLS connection."

MTA-STS requires two components:

1. A DNS TXT record at _mta-sts.{domain} that advertises MTA-STS support:

   v=STSv1; id=20240101000000

2. A policy file hosted at https://mta-sts.{domain}/.well-known/mta-sts.txt that specifies the policy details

The id field is a version identifier — when you update your policy, you change the id so sending servers know to fetch the new policy.

Why this is a problem

An invalid MTA-STS record means the DNS TXT record has syntax errors or is missing required fields. This prevents sending mail servers from discovering your MTA-STS policy, which means:

• TLS enforcement won't be applied to incoming email
• Your domain remains vulnerable to TLS downgrade attacks
• Email could be intercepted in transit without detection

What you should do

• Ensure the record is published at _mta-sts.{yourdomain} as a TXT record
• Verify it starts with v=STSv1
• Include a valid id= field with a unique identifier (typically a timestamp)
• Make sure the corresponding policy file is accessible at https://mta-sts.{yourdomain}/.well-known/mta-sts.txt
• Validate that the policy file contains valid mode, mx, and max_age fields
• Test the complete MTA-STS setup using an MTA-STS validation tool