Skip to main content

Hosted MTA-STS

The Hosted MTA-STS page lets you configure MTA-STS (Mail Transfer Agent Strict Transport Security) for your domain through Palisade. MTA-STS enforces TLS encryption for inbound email, preventing downgrade attacks where a man-in-the-middle could intercept mail delivered in plaintext.

note

Hosted MTA-STS requires DMARC monitoring to be set up first. Enable it from the gear menu on the Domain Overview page.

How It Works

MTA-STS works by publishing a policy file at https://mta-sts.<yourdomain>/.well-known/mta-sts.txt along with a DNS TXT record at _mta-sts.<yourdomain>. When Hosted MTA-STS is active, Palisade hosts the policy file and manages the DNS records via CNAME delegation.

DNS Setup

Palisade provides two CNAME records to add to your DNS:

  1. A CNAME for mta-sts.<yourdomain> — points to the Palisade-hosted policy file
  2. A CNAME for _mta-sts.<yourdomain> — points to the Palisade-managed TXT record

Policy Configuration

Mode

  • Testing — report-only mode. Sending servers will still deliver in plaintext if TLS fails, but will send TLS-RPT reports. Use this initially to verify your mail servers support TLS.
  • Enforce — strict mode. Sending servers must use TLS or the message will not be delivered.
  • None — disables the policy.
warning

Always start in Testing mode. Enforce mode will cause mail delivery failures if any sending server cannot negotiate a TLS connection with your mail servers. Run in Testing for at least a week and review TLS-RPT reports to confirm all inbound mail is arriving over TLS before switching to Enforce.

Max Age

Controls how long sending servers cache the policy. Options:

  • 1 day — useful during testing or when making frequent changes
  • 1 week — a good balance for active configuration
  • 30 days — recommended for stable configurations
  • 1 year — maximum caching for stable, long-term policies

MX Hosts

The list of mail server hostnames that are authorized to receive mail for your domain. Palisade auto-populates this from your MX records.

Domain Status

A status badge at the top shows:

  • Active — MTA-STS is live and verified
  • Verifying — waiting for DNS propagation
  • Error — DNS verification failed
  • Inactive — MTA-STS is not enabled

Disabling Hosted MTA-STS

To disable MTA-STS, click Disable and confirm the action. You should also remove the CNAME records from your DNS provider.