📩 A Template to host an MTA-STS Policy file on GitHub

Use this template to host your MTA Strict Transport Security (MTA-STS) [RFC 8461] policy file on GitHub Pages.

How To Use • License • Author

MTA-STS is a security standard to secure e-mail delivery. E-mail servers that send inbound e-mail to your domain will be able to detect that your e-mail server supports SMTP-over-TLS via `STARTTLS` (also known as [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS)) before opening the actual connection. In case the sending e-mail server is not able to initiate a secure connection, it will end the connection to enforce transport layer encryption. This mitigates [Man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) DNS and SMTP [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) that would allow an attacker to read or manipulate e-mail in transit. ## How To Use 1. Make sure you are [signed in to GitHub](https://github.com/login). Then click on [**Use this template**](https://github.com/jpawlowski/mta-sts.template/generate) to create a copy to your own GitHub profile (see [GitHub Docs](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template)). Don't _clone_ the repository. You may name your repository whatever you like. For simplicity, you can name it `mta-sts.`. 2. Change the file `.well-known/mta-sts.txt` according to your needs. 3. Create a `CNAME` record for `mta-sts.` in your domain's DNS that points to `.github.io` or `.github.io` and [enable GitHub Pages](https://docs.github.com/articles/using-a-custom-domain-with-github-pages/). 4. Open a browser to `https://mta-sts.` and make sure it does not show any certificate warnings. 5. Create a `TXT` record for `_mta-sts.` in your domain's DNS to enable the MTA-STS policy for your domain. You may copy & paste this to your DNS provider: ```dns #HOST #TTL #TYPE #VALUE _mta-sts 3600 TXT "v=STSv1; id=20220317000000Z" ``` **Note that you will need to change the `id=` here whenever you make changes to your `mta-sts.txt` policy file.** 6. Validate your setup, for example by using the [MTA-STS Lookup by MXToolBox](https://mxtoolbox.com/mta-sts.aspx), or looking into your [Hardenize Public Report](https://www.hardenize.com/). _Optional (but **highly recommended**):_ 7. Create another `TXT` record for `_smtp._tls.` in your domain's DNS to enable reporting (see [RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)). You may copy & paste this to your DNS provider: ```dns #HOST #TTL #TYPE #VALUE _smtp._tls 3600 TXT "v=TLSRPTv1; rua=mailto:tls-rua@mailcheck." ``` Note that the e-mail recipient mailbox shall be on a different domain _without_ MTA-STS being configured. This could be a subdomain like `mailcheck.`. It is also quite painful to manually deal with the reports other e-mail providers will send to you. For that particular reason, you may want to consider sending these e-mails to a 3rd-party tool like [Report URI](https://report-uri.com/), [URIports](https://www.uriports.com/), or from other commercial providers. You probably want this to be the same tool you might use for DMARC reports, like [DMARC Analyzer](https://www.dmarcanalyzer.com/) or [Dmarcian](https://dmarcian.com/). ## License [MIT License](https://github.com/jpawlowski/mta-sts.template/blob/gh-pages/LICENSE) ## Author [julian.pawlowski.me](https://julian.pawlowski.me/)  ·  GitHub [@jpawlowski](https://github.com/jpawlowski/mta-sts.template)  ·  Mastodon [@Loredo@chaos.social](https://chaos.social/@Loredo)