Skip to content
  • There are no suggestions because the search field is empty.

How to setup Mail Transfer Agent Strict Transport Security (MTA-STS) in MDaemon

SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections.

SMTP MTA Strict Transport Security (MTA-STS) can also specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.  

There are several requirements for utilizing MTA-STS in MDaemon:

  • SSL, STARTTLS, and STLS must be enabled.
  • A valid certificate from a trusted root authority must be in place for participating domains.
  • TLS 1.2 or 1.3 support on the Windows server.

To set up MTA-STS for your own domain, you will need an MTA-STS policy file that can be downloaded via HTTPS from the URL https://mta-sts.company.test/.well-known/mta-sts.txt, where "company.test" is your domain name. 

In your domain's DNS manger, create an A record for your domain using mta-sts for the name and static IP address of the MDaemon server for the content. 

Create a new TXT record in your DNS manager.  Use _mta-sts as the record name.  Enter v=STSv1; id=20220408T010101; for the record's content.  The value for id must be changed every time the policy file is changed. It is common to use a timestamp for the id.

The certificate used by MDaemon will need to be reconfigured to include the mta-sts.company.test hostname as a Subject Alternate Name. 


Using a text editor, create your policy file. The policy text file should contain lines in the following format:

version: STSv1
mode: testing
mx: mail.company.test
max_age: 86400

  • Mode can be none, testing, or enforce.
    • none - The sending server should the policy domain as through it does not have an active policy.
    • testing - Messages may still be delivered as though there were no MTA-STS validation failure.
    • enforce - Sending servers must not deliver the message to hosts that fail MX matching or certificate validation or do not support STARTTLS
  • There should be an "mx:" line for each of your MX hostnames.
  • A wildcard can be used for subdomains, such as *.company.test.
  • Max age is in seconds. Common values are 86400 (1 day) and 604800 (1 week).
  • Place the policy text file in the \MDaemon\WorldClient\HTML\.well-known\ directory on the server where MDaemon is installed. 

Verify the mta-sts.txt policy file is available by opening a browser and navigate to https://mta-sts.company.test/.well-known/mta-sts.txt.  If the policy is displayed, the configuration is complete.