SMTP TLS Reporting

What is SMTP TLS Reporting?

Much like HSTS makes TLS mandatory when using HTTP, MTA-STS makes encryption mandatory in SMTP, where it is currently optional. SMTP TLS Reporting, known as TLS-RPT for short, is the mechanism that will allow us to find out if we have any issues before we enforce our MTA-STS policy by sending reports.

Getting Started

Create your policy

The first step to setting up MTA-STS is to publish your policy. An example policy can be seen here:

version: STSv1
mode: testing
mx: in1-smtp.messagingengine.com
mx: in2-smtp.messagingengine.com
max_age: 86400

The version value can only be STSv1 and the mode value can only be one of testing, enforce or none.

testing - deliver the email whether MTA-STS passes or fails, but also send a report if delivery would have failed. This is highly recommended as your starting value.

enforce - do not deliver the email if the mx record does not match or if a secure connection cannot be established. Send a report if delivery fails.

none - effectively disables MTA-STS and clears the policy. No reports will be sent.

max-age - the number of seconds that another party should cache and apply this policy for.

This policy needs to be published on your website at a specific address. This is an example of a published policy address, located here:

https://mta-sts.scotthelme.co.uk/.well-known/mta-sts.txt

Activate your policy

Your policy is activated by publishing a DNS record:

_mta-sts.scotthelme.co.uk. 299 IN TXT "v=STSv1; id=1565808194"

The v value can only be set to STSv1 and the id value has to be a unique id that represents this policy and changed when you change your policy.

Enable reporting

To enable SMTP TLS reporting you must add another DNS record:

_smtp._tls.scotthelme.co.uk. 300    IN  TXT "v=TLSRPTv1;rua=mailto:{subdomain}-d@tlsrpt.report-uri.com"

The v value should be set to TLSRPTv1, which is the only valid value, and rua contains the location you'd like to send reports to.

Useful Links

https://scotthelme.co.uk/improving-email-security-with-mta-sts/

https://scotthelme.co.uk/launching-smtp-tls-reporting/

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search