This repo has a folder for each MTA-STS mode (testing, enforce, none) with an mta-sts.txt file configured for the corresponding mode. By setting the publish directory in netfliy.toml you can easily switch which mode you are in.
You can also use the one repo with multiple Netlify sites if you manage multiple domain names that have the same MX records in DNS. If that is the case you could either use the one netlify.toml file to change the mode for all domains in one go, or if you prefer to manage their modes separately, delete the netlify.toml file and configure the publish directory in the Netlify UI for each site.
- Click to create your own template copy of this repo, or click the green button near the top right called "Use this template" to perform the same action.
- Now that you have your own copy, in each directory (testing, enforce, none), configure the mta-sts.txt file:
- If needed, modify the
mxkey/value pairs so there is a match for each MX record in your DNS. - if needed, modify
max_ageto your preferred time in seconds (between 1 day and 1 year)
- If needed, modify the
- In netfliy.toml, set which directory / MTA-STS mode you want published to Netlify
- Create a site:
- Point to your new repo in GitHub
- After the site is created and deployed, verify that you can get to the mta-sts.txt file by going to
https://your-site-name.netlify.app/.well-known/mta-sts.txt, and that it's showing the correct mode you entered as the publish directory in your netlify.toml file.
- Add your subdomain to the new site:
- Domain Management > Add a Domain
- Enter your subdomain
mta-sts.yourdomain.com - Copy the default subdomain (ex.
your-site-name.netlify.app), as you will need this for the next step to create a CNAME record in DNS.
Create the subdomain mta-sts and point it your site in Netlify.
- Go to your DNS management console (ex. Cloudflare, Amazon Route 53, etc.)
- Create a new CNAME record for
yourdomain.com
| Type | Name | Target |
|---|---|---|
CNAME |
mta-sts |
your-site-name.netlify.app |
Note: If you manage DNS with Cloudflare, disable the proxy and set to DNS only (uncheck the orange cloud)
- Go to
https://yourdomain.com/.well-known/mta-sts.txtto verify the site is working. You may have to wait a bit for DNS to propogate.
Create either a new mailbox, or an email alias to receive reports from other mail servers that support MTA-STS.
Address examples:
Optional: If you're creating an email alias, you could create a custom filter in Gmail to label all incoming mail sent to the alias you created and make them easier to find. (ex label. MTA-STS Reports)
With all the above in place, it's time to deploy your policy. Head back to your DNS management console and create two TXT records.
| Type | Name | Value |
|---|---|---|
TXT |
_smtp._tls |
v=TLSRPTv1;rua=mailto:[email protected]; |
TXT |
_mta-sts |
v=STSv1;id=1597582738053; |
_smtp._tls: Replace the email address with the one you created.
_mta-sts: Replace the timestamp 1597582738053 with either the current timestamp or another unique value (1–32 alphanumeric characters). You will need to update this value every time a change to your published policy is made to tell other mail servers there is a newer policy. You can get the current time stamp by going to Unix Time Stamp or whichever your preferred method is.
In your Google Workspace Admin Console, go to MTA-STS Configuration Diagnostics. If it shows "MTA-STS Configuration – Valid" you are good to go. If says "Invalid" go back and review any potential errors in your configuration.
- Google Workspace Admin Help: Increase email security with MTA-STS and TLS reporting
- IETF RFC 8461: SMTP MTA Strict Transport Security (MTA-STS)