We want MTA-STS in enforce mode but worry about outages
MTA-STS (RFC 8461) forces senders to use TLS to your MX and validate the cert. Testing mode reports only, enforce refuses mail on TLS errors. The right path is run testing until TLS-RPT reports stay clean for weeks, then move to enforce.
Try this first
- 1Publish a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with mode: testing, mx records and max_age.
- 2Publish DNS records: _mta-sts.yourdomain.com TXT v=STSv1; id=... and _smtp._tls.yourdomain.com TXT v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com
- 3Ensure every MX host has a valid certificate matching the hostname in MX, not just the apex.
- 4Read TLS-RPT reports for a few weeks. From Microsoft 365 and Google Workspace they arrive via large senders.
- 5When reports stay clean, switch the policy file to mode: enforce and bump id=. Receiver caches will refresh.
When to bring us in
If you have a hybrid mail flow with an on-prem relay or third-party scrubber, check those have valid certs too. A forgotten hop breaks enforce.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.