Pre-requirements

  • Access to either your cPanel, Plesk, or Google Cloud DNS environment or administrative access to your DNS management interface.
  • A valid SSL/TLS certificate for your domain.
  • Basic knowledge of DNS records and TXT record management.
  • Access to SSH for Linux-based environments (optional but recommended).
  • A subdomain to your domain. The subdomain name must start with mta-sts, for example: mta-sts.example_domain.com

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that helps ensure email servers send messages over encrypted connections. By configuring MTA-STS, you enhance email security by preventing man-in-the-middle attacks, enforcing TLS, and more. This guide will walk you through setting up MTA-STS on cPanel, Plesk, and Google Cloud DNS.

 

How to Configure MTA-STS: A Complete Guide for cPanel, Plesk, and Google Cloud DNS

Step 1: Set Up MTA-STS TXT Record

cPanel

  1. Log in to your cPanel dashboard.
  2. Navigate to Zone Editor under the Domains section.
  3. Click on Manage next to the domain where you want to add the MTA-STS record.
  4. Scroll down to Add a Record and select Add TXT Record.
  5. Enter the following details:
    • Name: _mta-sts.example_domain.com
    • TTL: 3600
    • Type: TXT
    • Record: v=STSv1; id=20241001000000;
  6. Click Save Record.

Plesk

  1. Log in to your Plesk control panel.
  2. Navigate to Websites & Domains and select your domain.
  3. Click on DNS Settings.
  4. Click Add Record and choose TXT.
  5. Enter the following:
    • Domain: _mta-sts.example_domain.com
    • TTL: 3600
    • Record type: TXT
    • Record: v=STSv1; id=20241001000000;
  6. Click OK and Apply Changes.

Google Cloud DNS

  1. Log in to the Google Cloud Console.
  2. Navigate to Cloud DNS under the Networking section.
  3. Select your DNS zone.
  4. Click Add Record Set.
  5. Configure the following:
    • Name: _mta-sts.example_domain.com
    • Type: TXT
    • TTL: 3600
    • Text: v=STSv1; id=20241001000000;
  6. Click Create.

Step 2: Create MTA-STS Policy File

This file will define how your server should handle email encryption. It must be hosted under the HTTPS path https://mta-sts.example_domain.com/.well-known/mta-sts.txt.

Policy File Contents

version: STSv1
mode: enforce
mx: *.example_domain.com
max_age: 86400

Hosting the Policy File

  • Create the .well-known directory in your website's root folder if this folder doesn't already exist.
  • Place the mta-sts.txt file inside the .well-known directory.

 

Linux Command to Create the Directory and File

mkdir -p /var/www/html/.well-known
vim /var/www/html/.well-known/mta-sts.txt

 

For cPanel, run the following command to create the file:

touch /home/username/public_html/.well-known/mta-sts

Then, paste the MTA-STS policy content into the file and save it.

You can also create the policy file with:


   cat > /home/username/public_html/.well-known/mta-sts/mta-sts.txt << 'EOF'
   version: STSv1
   mode: enforce
   max_age: 86400
   mx: mail.example_domain.com
   mx: backup-mail.example_domain.com
   EOF

Then set the proper permissions:

chmod 644 /home/username/public_html/.well-known/mta-sts/mta-sts.txt

 

For Plesk, using your terminal (Websites & Domains >> Dashboard >> SSH Terminal) run the following command to create the file:

touch /var/www/vhosts/example_domain.com/httpdocs/.well-known/mta-sts.txt

Add to your domain's Apache configuration:


<Location "/.well-known/mta-sts/">
   Header set Content-Type "text/plain"

Step 3: Configure MTA-STS TXT Record Diagnostics

Testing your MTA-STS setup is important to ensure it's working properly. Use the following tools for diagnostics.

MTA-STS TXT Record Diagnostic

    • Use an online tool like MXToolbox to verify the MTA-STS TXT record for your domain.
    • Or use a command-line check with dig:
dig TXT _mta-sts.example_domain.com

MTA-STS Policy Diagnostic

    • Check your policy file with an online MTA-STS validator or use curl to verify the HTTPS policy location:
curl -I https://mta-sts.example_domain.com/.well-known/mta-sts.txt

Reporting Policy Diagnostic

MTA-STS also supports reports on how your policy is enforced. You can configure a report with the following DNS record:

    • Create a TXT record for _smtp._tls.example_domain.com:
v=TLSRPTv1; rua=mailto:reports@example_domain.com

You can verify this with an online tool or command-line utility.

Step 4: Update DNS TTLs

Ensure that your DNS Time to Live (TTL) is not too high while testing. We recommend setting it to 3600 seconds (1 hour) initially, and you can increase it after confirming everything is working.

Gotchas to Avoid

  • Start with "testing" before enforcement.
  • Ensure your SSL/TLS certificate is valid and includes the domain mta-sts.example_domain.com.
  • Remember to place the policy file under HTTPS and verify it via https://mta-sts.example_domain.com/.well-known/mta-sts.txt.
  • Monitor the reports generated by the _smtp._tls.example_domain.com record to see how well your policy is being enforced.

Step 5: Test Your Configuration

After configuring MTA-STS and the associated DNS records, it's critical to test the setup to ensure proper functionality. Here's how you can test it:

  • Use an MTA-STS testing tool at the end of this guide to check for any issues.
  • Run the following dig commands to verify the TXT records: 
    
        dig TXT _mta-sts.example_domain.com
        dig TXT _smtp._tls.example_domain.com

Test policy file access to ensure readability:

curl -v https://mta-sts.example_domain.com/.well-known/mta-sts/mta-sts.txt

Common HTTP Status codes you will likely see will be one of these:

  • 200: Success
  • 404: Policy file not found
  • 403: Permission denied
  • 500: Server error

Best MTA-STS Practices

  1. Regular Updates
    • Update the policy ID whenever making changes
    • Use timestamp format: YYYYMMDDHHMMSSZ
  2. Monitoring
    • Implement logging for policy requests
    • Monitor TLS report emails
    • Set up alerts for policy fetch failures
  3. Security Considerations
    • Always use HTTPS for policy host
    • Keep SSL certificates up to date
    • Use appropriate file permissions
  4. Testing
    • Start with mode: testing
    • Monitor reports before enforcing
    • Gradually increase max_age

Common Issues and Solutions

  1. Policy Not Found
    • Check file path and permissions
    • Verify HTTPS configuration
    • Ensure correct Content-Type header
  2. DNS Propagation
    • Wait for TTL expiration
    • Use multiple DNS resolvers to verify
    • Check for syntax errors
  3. SSL Certificate Issues
    • Verify certificate validity
    • Check certificate chain
    • Ensure proper SSL configuration
  4. Reporting Problems
    • Verify report email address
    • Check spam filters
    • Ensure correct TXT record format

GUI Tools To Check Your MTA-STS Configuration

By properly configuring MTA-STS on your cPanel or Plesk, you're taking an important step in securing your email communication. However, remember to always test your configuration thoroughly before enabling enforcement mode. Start with a short max_age value and gradually increase it as you confirm everything works correctly.

Did this answer help? 0 People found this helpful (0 Votes)

Top Articles

How To Create New Users Or Add Team Users to Your WebHostingM cPanel

Learn how to create and manage new users in cPanel using the Manage Team feature.  This...
Changes To Keep in Mind When cPanel Migrating from Apache 2.2 to Apache 2.4

Learn how to migrate your application running on an old Apache 2.2 server to a newer Apache 2.4+...
Can I Host A Website with Old PHP Versions with WebHostingM?

Learn how to migrate PHP applications to a hosting platform supporting PHP versions 7.4 to 8.3....
Can I Use the CGIEmail Script on WebHostingM?

Discover why using the CGIEmail script on WebHostingM is not recommended. Learn about the...
How To Manage Email Account Quotas in cPanel

Learn how to set a quota for email accounts in cPanel to manage mailbox storage effectively....