he first thing to do is clarify what MTA-STS actually is and why you need it, if you do not this post is not for you.
Let’s start with the definition that defines what the service actually does:
An MTA-STS (Mail Transfer Agent Strict Transport Security) record is a DNS-based mechanism that enhances the security of email delivery by enforcing the use of encrypted channels and protecting against downgrade attacks and certain types of man-in-the-middle (MITM) attacks. It helps ensure that emails are securely transmitted over TLS (Transport Layer Security).
This sounds amazing, The trouble is many people don’t actually enable and enforce this record, which could save on tax vectors via email and increase your security hygiene massively.
What are the key components of MTA-STS?
You have a file that needs to be hosted on a secure web server and a TXT entry in your DNS - let’s go over those now.
Policy File (Text File)
A policy file hosted on a secure web server defines how mail servers should handle messages destined for your domain, this need to be in the format like:
https://mta-sts.a6n.co.uk/.well-known/mta-sts.txt
The policy needs to contain the following information
- Version of the MTA-STS policy (v1)
- Operational mode (`enforce`, `testing`, or `none`).
- List of valid MX mail server hostnames.
- How long to cache the policy (in seconds)
version: STSv1
mode: testing
mx: mx1.forwardemail.net
mx: mx2.forwardemail.net
max_age: 604800
DNS TXT Record
You then need a DNS TXT Record which specifies the presence of a MTA-STE policy and points to the policy file, let’s take a look at that record in code:
_mta-sts.a6n.co.uk. IN TXT "v=STSv1; id=20250101T000000Z"
The record consist of the version (STSv1) and the ID (this is usually a timestamp that includes the date and time the policy was updated)
How does MTA-STS work?
I’m so glad you asked, It’s quite a simple process, but depending on the policy, you said it can reject your emails so just be careful. Your policy is correct if you’re going to straight to enforcement.
- When a sending mail server tries to deliver a message, it checks for the `_mta-sts` TXT record in the recipient domain's DNS.
- If the record exists, the sender retrieves and caches the policy file from the secure web server.
The policy ensures:
- Delivery is made only to the listed mail servers.
- TLS is always used; otherwise, delivery fails (if `mode=enforce`).
How much will it benefit me?
Well, email hygiene is about building up your layers of defense it works alongside other protection technologies like DMARC, SPF, and DKIM.
If you enable STA-MTA on its own and neglect all the other protections you will get minimal results from this amazing protection.
Creating Storage Account for mta-sts.txt
The first step is to create a Storage Account in Entra, login to Entra then choose Storage Accounts:
Then we need to Create a new volume:
Then we need to give this a resource groups, then a name and ensure you choose LRS for Redundancy (as I do not need availability) then you can review and create:
You then in the usual fashion need to review the details you just entered, you need to click Create:
This will then submit and start the deployment, hang on a moment here until its completed, when this is the case you will get a screen like this, click "Go to Resource" as below:
When on the resource choose Data Management>Static Website then Enable that option and click save as below:
You will then see your address to get to this storage under Primary Endpoint,
If we try to visit that URL there is nothing uploaded so you will see this in the browser, which is normal as we are not done yet.
We now need to navigate to Data Storage>Containers and notice you will see a $web folder click on this folder:
This should show you an empty folder with nothing in it which is the correct state for this folder, however now we need to click Upload as below:
This next bit requires Powershell as Explorer gets all precious with not allowing folders with a dot (.) at the start of them so the commands we need for this example are:
mkdir StorageAccount
cd StorageAccount
mkdir .well-know
ls
This should look like this in Powershell:
We not can see the folder called .well-known open that in Explorer create a new text file called mta-sts.txt and then paste the contents from the earlier example into this file and save that file:
We now need to go back to the .well-know folder and drag and drop that on the upload area of the website from earlier
This will then confirm you are uploading mts-sts.txt to this storage account (the folder as well but that is not shown) then click Upload:
We now have a problem the URL is fractured and incorrect lets review below:
Current URL : https://mtapolicy.z13.web.core.windows.net/.well-known/mta-sts.txt
Required URL : https://mta-sts.a6n.co.uk/.well-known/mta-sts.txt
This will be a problem as the policy file cannot be looked up, so this will fail.
Yes, this is where I immediately went to first, with this process you create a web forwarding rule using the HTTP 302 (permanent forward) and include the path in that redirection.
- Add mta-sts.a6n.co.uk CNAME to the web forwarder
- Web Request is then forwarded to https://mtapolicy.z13.web.core.windows.net
- Forwarding uses HTTP 302 (for permanent redirection)
- Forwarding preserve the path added by the client (as we need /.well-known/mta-sts.txt)
- Web requests then serves the required URL as the original URL
<frameset rows="100%"><frameset cols="100%"><frame src="https://mtastsmail.z13.web.core.windows.net/" frameborder="0" scrolling="auto"></frameset></frameset>
Right of course, that is because the content type could be set to HTML, so lets check that on the Storage account:
No, the content type is correct, it should be text/plain so the web forwarding is causing the policy to be invalid, this will not work in this state.
Then we need to create a new Front Door with Create:
We then need to ensure we have Azure Front Door and Quick Create as below then Continue to create a front door needs a click:
We then need to give this details like Name and Tier (Premium is expensive) and endpoint name the why type of resource it will be linked to then we need to review and create:
Review the details from earlier
This will take a moment to deploy but after a short wait you should end up with a screen like this, when you do use the Go to Resource button:
Then we need Settings>Domains and we need to choose Add:
We then need to enter the custom domain after choosing "All other DNS services" as this DNS zone is external to Azure then we need to click Add:
We then need to add this record to that zone file as you can see below:
You can check the status of this using nslookup with this command:
nslookup -q=txt _dnsauth.mta-sts.a6n.co.uk
You need to give this some time as Microsoft is not so quick, they are not seeing this record yet:
While you wait if you look on the end the domain addition click on the three dots then choose Associate as below:
Then you need to choose your endpoint, which is easy for me as there is only one, then click Associate as below:
This will then get to work linking your Domain to the Front Door policy and default route, this will take a moment, however when you check the domains again you will notice that the TXT records as been found and approved, the association is now complete and the certificate has been generated, sweet.
However this is not all good news on the other end other domains we get error to say the CNAME is not detected - lets get that fixed now....
It is expecting this as the CNAME but before we can do that we need the Front Name name, so from Settings>Front Door Manager click that option then you will see the FQDN address you need for the DNS record:
Now we can form our DNS record which should be:
This now need to be updated in the DNS zone as before, that should look like this:
Then when the update was been detected your Domain view should then show that "Traffic is delivered securely" as below:
Then we need to run a MTA-STS analyser to ensure that the policy file is not valid and accessible, I use this MTA-STS checker from the link here