MTA-STS for Beginners – Protecting inbound email with secure delivery rules

December 19, 2025

Anne Allen

NuStart Email Trust Series — Post 6 of 10

MTA-STS for Beginners is a little bit of a stretch – it is a little on the technical side but I have tried to keep it as non-jargon as possible – Email deliverability is full of acronym soup—SPF, DKIM, DMARC, TLS—and most nonprofits and small businesses don’t have time to become part-time email engineers. In this series, I translate the geeky jargon into plain-English concepts and simple actions. You run the organization; I’ll do the nerding.

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a way to publish a policy that tells other mail servers:

  1. “When emailing my domain, use TLS encryption,” and
  2. “Only deliver to these approved MX servers,” and
  3. “If you can’t deliver securely, don’t silently downgrade to insecure delivery” (when in enforce mode).

In simple terms: it strengthens inbound email delivery to your domain so messages are harder to intercept or downgrade in transit.

This matters for nonprofits and small businesses because email often includes donor info, invoices, grant paperwork, internal ops, and sensitive coordination.

MTA-STS for Beginners Protecting inbound email with secure delivery rules

The two things MTA-STS needs

MTA-STS requires both:

1) A DNS TXT record (the “policy exists” flag)

You publish a TXT record at:

_mta-sts.yourdomain.com

Example:

v=STSv1; id=20251219

That id= value is how you tell senders “I updated my policy—recheck it.”

2) An HTTPS policy file (the actual rules)

You host a plain text file at:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

This file lists:

  • mode: (testing / enforce / none)
  • allowed mx: hosts
  • max_age: (how long senders cache the policy)

The modes (start safe)

mode: testing

This is the recommended starting point. It lets you roll out safely and catch mistakes without accidentally blocking mail.

mode: enforce

Strict mode. If a sender supports MTA-STS and can’t deliver using TLS to your approved MX hosts, delivery should fail (instead of falling back insecurely).

mode: none

Effectively off.


Example MTA-STS policy file

If you use Google Workspace, your policy commonly looks like:

version: STSv1
mode: testing
mx: aspmx.l.google.com
mx: alt1.aspmx.l.google.com
mx: alt2.aspmx.l.google.com
mx: alt3.aspmx.l.google.com
mx: alt4.aspmx.l.google.com
max_age: 604800

Important: your mx: lines must match your real MX setup. If you migrate email providers later, you must update this policy (and update the DNS id=).


Why nonprofits and small businesses like MTA-STS (in practice)

MTA-STS is not flashy. It’s one of those “quiet reliability” upgrades:

  • reduces risk of TLS downgrade during delivery (for senders that support it)
  • locks mail delivery to your legitimate MX servers
  • adds professionalism and trust signals to your domain’s posture
  • pairs well with TLS-RPT (next post) so you can see failures

Hosting the MTA-STS policy with a Cloudflare Worker (simple and reliable)

A common challenge is: “Where do I host this tiny text file so it’s always up, always HTTPS, and not tied to my website platform?”

A Cloudflare Worker is a great fit because it’s:

  • fast and globally available
  • easy to maintain
  • independent from your WordPress stack
  • perfect for serving one small static file

How it works

You set up the subdomain mta-sts.yourdomain.com on Cloudflare, then route:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

to a Worker that returns your policy text with a text/plain content type.

Worker example (ready to paste)

export default {
  async fetch(request, env, ctx) {
    const url = new URL(request.url);

    // Only serve the official policy path
    if (url.pathname === "/.well-known/mta-sts.txt") {
      const policy = `version: STSv1
mode: testing
mx: aspmx.l.google.com
mx: alt1.aspmx.l.google.com
mx: alt2.aspmx.l.google.com
mx: alt3.aspmx.l.google.com
mx: alt4.aspmx.l.google.com
max_age: 604800`;

      return new Response(policy, {
        headers: {
          "content-type": "text/plain; charset=utf-8",
          // Optional: encourage caching at the edge; senders still obey max_age for policy caching logic
          "cache-control": "public, max-age=3600",
        },
      });
    }

    // Optional: give a friendly response on the root
    if (url.pathname === "/") {
      return new Response("MTA-STS policy host", {
        headers: { "content-type": "text/plain; charset=utf-8" },
      });
    }

    return new Response("Not found", { status: 404 });
  },
};

Cloudflare setup notes (non-geek version)

  • Create/ensure the DNS record for mta-sts.yourdomain.com is in Cloudflare.
  • Attach the Worker to that hostname using Routes or a Custom Domain.
  • Confirm the URL loads in a browser and shows the exact policy text.

/

Managed Hosting Reality Check

If you’re on managed WordPress hosting, you’re not doing anything wrong if this feels awkward.

Many managed hosts assume WordPress owns the root domain and make “tiny infrastructure files on a subdomain” harder than it should be.

The good news: MTA-STS doesn’t need to live inside WordPress at all.

The simplest, most reliable approach is to host mta-sts.yourdomain.com outside the website stack (for example, with a Cloudflare Worker or a small static host) so site updates, plugin issues, or maintenance mode never accidentally impact your email security policy.


Implementation checklist (safe rollout)

  • Confirm your MX records first (what actually receives mail for your domain)
  • Create the policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  • Publish _mta-sts TXT record: v=STSv1; id=YYYYMMDD
  • Start with mode: testing
  • After validation, switch to mode: enforce and update the id=

Common mistakes (so you don’t step on a rake)

  1. Policy file path wrong (must be /.well-known/mta-sts.txt)
  2. No valid HTTPS on mta-sts. subdomain
  3. MX mismatch between DNS and policy file
  4. Switching providers and forgetting to update MTA-STS
  5. Going to enforce before you’re sure everything is correct

MTA-STS FAQs

Does MTA-STS improve deliverability?

Indirectly. It’s mainly transport security for inbound delivery, not spam placement. The biggest deliverability drivers are still SPF/DKIM/DMARC + reputation.

Does MTA-STS stop spoofing?

Not by itself. Spoofing protection is primarily DMARC. MTA-STS protects delivery security (TLS + correct MX) for inbound mail.

Should I start with testing or enforce?

Start with testing, then move to enforce after you confirm the policy is correct and stable. I would keep it as testing for at least 2 weeks and review reports

What is MTA-STS max_age?

How long (in seconds) sending servers cache your policy. A common value is 604800 (7 days).

Do I need to update the id= in DNS?

Yes—whenever you change the policy file. Think of it as “policy version.”

Can I host the MTA-STS policy on my website?

Yes, but I usually prefer hosting it separately (Worker/static host) so a website outage, redirect, maintenance mode, or plugin issue doesn’t accidentally break your email security policy.

What if I’m on managed WordPress hosting and I can’t easily add mta-sts.yourdomain.com?

This is common. Many managed WordPress setups assume your domain “root” belongs to WordPress, and adding extra subdomains or custom files can be awkward.
You still have a few practical options:
Best option: host mta-sts.yourdomain.com outside the WordPress stack (Cloudflare Worker, static host, or CDN). This avoids needing a new site install on your managed host and is usually the most reliable approach.
If your DNS is on Cloudflare: you can route mta-sts.yourdomain.com directly to a Worker (no WordPress install required).
– If you can create subdomains in DNS but not in hosting: that’s fine—the subdomain doesn’t have to exist as a WordPress site if you’re using a Worker/static host to serve the file.
If you truly cannot create subdomains at all: you may be blocked from implementing MTA-STS properly, because the standard expects mta-sts.<domain> over HTTPS. In that case, focus on TLS best practices plus DMARC, and revisit MTA-STS when DNS control allows subdomains.

Want NuStart to handle this for you?
If you’d rather not wrestle with DNS records, alignment, and testing, NuStart can audit your current setup and implement a clean, reliable Email Trust configuration end-to-end. Request an Email Trust Audit today to get started.

Up next
Next: Post 7 — TLS-RPT: Getting alerts when encrypted delivery fails

Anne Allen

About the author

Hi, I’m Anne Allen. I’ve spent the last 15 years living and breathing WordPress. I’m passionate about helping business owners demystify their websites—whether that means keeping your site secure with proper maintenance, setting up complex Gravity Forms, or ensuring your content is accessible through ADA compliance. Let’s make your site work for you.