SMTP TLS Reporting

What is SMTP TLS Reporting?

Much like HSTS makes TLS mandatory when using HTTP, MTA-STS makes encryption mandatory in SMTP, where it is currently optional. SMTP TLS Reporting, known as TLS-RPT for short, is the mechanism that will allow us to find out if we have any issues before we enforce our MTA-STS policy by sending reports.

Getting Started

Create your policy

The first step to setting up MTA-STS is to publish your policy. An example policy can be seen here:

version: STSv1
mode: testing
max_age: 86400

The version value can only be STSv1 and the mode value can only be one of testing, enforce or none.

testing - deliver the email whether MTA-STS passes or fails, but also send a report if delivery would have failed. This is highly recommended as your starting value.

enforce - do not deliver the email if the mx record does not match or if a secure connection cannot be established. Send a report if delivery fails.

none - effectively disables MTA-STS and clears the policy. No reports will be sent.

max-age - the number of seconds that another party should cache and apply this policy for.

This policy needs to be published on your website at a specific address. This is an example of a published policy address, located here:

Activate your policy

Your policy is activated by publishing a DNS record: 299 IN TXT "v=STSv1; id=1565808194"

The v value can only be set to STSv1 and the id value has to be a unique id that represents this policy and changed when you change your policy.

Enable reporting

To enable SMTP TLS reporting you must add another DNS record: 300    IN  TXT "v=TLSRPTv1;rua=mailto:{subdomain}"

The v value should be set to TLSRPTv1, which is the only valid value, and rua contains the location you'd like to send reports to.