< All Topics
Print

cPanel – Configuring Mail Transfer Agent Strict Transport Security (MTA-STS)

For further explanation read the following article: configuring-mail-transfer-agent-strict-transport-security-mta-sts.

Step 1: DNS TXT Record Configuration

Add a TXT record to your domain’s DNS settings:

            
_mta-sts.your-domain IN TXT "v=STSv1; id=12345678"
            
        

v=version, currently v1; id <32 characters when changing policy.

Step 2: Create a DNS A Record Configuration

            

mta-sts.your-domain IN A "1.2.3.4"

Step 3: Policy File Configuration

Create an mta-sts.txt file in your web server’s sub domain .well-known:

            

mkdir
/home/your-domain/public_html/mta-sts/.well-known
            
version: STSv1
mode: enforce
mx: mail1.your-domain
mx: mail2.your-domain
max_age: 604800
            
        

Step 4: TLS Reporting (Optional)

If you want to receive reports on failed TLS connections, add another TXT record to your DNS:

            
_mta-sts.your-domain IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@your-domain"
            
        

Step 5: Secure Web Server Configuration

Ensure your web server is configured to serve the mta-sts.txt file over HTTPS:

Genererate a valid SSL with OpenSSL or Let’s Encrypt

Step 6: Test and Verify

After setting up, wait for DNS propagation, then test:

  • Use a web browser to access https://mta-sts.your-domain/.well-known/mta-sts.txt to ensure the policy file is accessible.
  • Check with online tools or your email provider to verify MTA-STS is correctly configured.

Conclusion

By implementing MTA-STS, you significantly enhance your email server’s security by ensuring that all incoming emails use TLS encryption. Remember to keep your certificates up to date and monitor your TLS reports for any issues. This step not only protects your communications but also builds trust with senders, ensuring that your domain is seen as secure and reliable.

Source : https://www.rfc-editor.org/rfc/pdfrfc/rfc8461.txt.pdf

Table of Contents
Scroll to Top