In case you have come across the “MTA-STS policy is missing: STSFetchResult.NONE ” command while using online tools, you have come to the right place. Today we are going to discuss how to fix this error message and get rid of it by incorporating an MTA-STS policy for your domain. 

Simple Mail Transfer Protocol, aka SMTP, is the standard email transfer protocol used by a majority of email service providers. It isn’t an alien concept that SMTP has been facing security challenges since the dawn of time, challenges that they haven’t been able to come up with as of yet. This is because, in order to make the emails backward compatible, SMTP introduced opportunistic encryption in the form of a STARTTLS command.  This essentially means, in case an encrypted connection cannot be negotiated between two communicating SMTP servers, the connection gets rolled back to an unencrypted one, and messages are sent in cleartext. 

This makes emails transferred via SMTP vulnerable to pervasive monitoring and cyber eavesdropping attacks like Man-in-the-middle. This is risky for both the sender and the receiver and can lead to the breach of sensitive data. This is where MTA-STS swoops in and makes TLS encryption mandatory in SMTP to stop emails from being delivered over unsecured connections. 

What is an MTA-STS Policy?

In order to improve your SMTP email security and make the most out of authentication protocols like MTA-STS, the sending server should have support for the protocol and the email receiving server should have an MTA-STS policy defined in their DNS. An enforced policy mode is also encouraged to further amplify security standards. The MTA-STS policy defines the email servers using MTA-STS in the receiver’s domain. 

In order to enable MTA-STS for your domain as the email receiver, you need to host an MTA-STS policy file in your DNS. This allows external email senders to send emails to your domain that are authenticated and TLS encrypted with an updated version of TLS (1.2 or higher). 

Not having a published or updated policy file for your domain can be the primary reason for coming across error messages like “MTA-STS policy is missing: STSFetchResult.NONE”, implying that the sender’s server couldn’t fetch the MTA-STS policy file when it queried the receiver’s DNS, finding it to be missing.

Prerequisites for MTA-STS:

Email servers for which MTA-STS will be enabled should be using a TLS version of 1.2 or more, and should have TLS certificates in place that adhere to current RFC standards and specifications, are not expired, and server certificates that are signed by a trusted root certificate authority.

Steps to Fix “MTA-STS Policy is Missing”

1. Creating and publishing an MTA-STS DNS TXT record 

The first step is to create an MTA-STS record for your domain. You can create a record instantly using an MTA-STS record generator, providing you with a custom-tailored DNS record for your domain. 

2. Defining an MTA-STS policy mode

MTA-STS offers two policy modes for users to work with.

  • Testing mode: This mode is ideal for beginners who have not configured the protocol before. The MTA-STS testing mode allows you to receive SMTP TLS reports on problems in MTA-STS policies, issues in establishing encrypted SMTP connections, or failure in email delivery. This helps you respond to existing security issues pertaining to your domains and servers without enforcing TLS encryption.
  • Enforce mode: While you still receive your TLS reports, in course of time it is optimal for users to enforce their MTA-STS policy to make encryption mandatory while receiving emails using SMTP. This prevents messages from being changed or tampered with while in transit.

3. Creating the MTA-STS policy file

The next step is to host MTA-STS policy files for your domains. Note that while the contents of every file can be the same, it is mandatory to host policies separately for separate domains, and a single domain can have only a single MTA-STS policy file. Multiple MTA-STS policy files hosted for a single domain can lead to protocol misconfigurations. 

The standard format for an MTA-STS policy file is given below: 

File name: mta-sts.txt

Maximum file size: 64 KB

version: STSv1

mode: testing

mx: mail.yourdomain.com

mx: *.yourdomain.com

max_age: 806400 

Note: The policy file displayed above is simply an example.

4. Publishing Your MTA-STS policy file

Next, you have to publish your MTA-STS policy file on a public web server that is accessible to external servers. Make sure the server you host your file on supports HTTPS or SSL. The procedure for this is simple. Assuming that your domain is preconfigured with a public web server:

  • Add a subdomain to your existing domain that should begin with the text: mta-sts (e.g. mta-sts.domain.com) 
  • Your policy file will point to this subdomain that you created and has to be stored in a .well-known directory
  • The URL for the policy file is added to the DNS entry while publishing your MTA-STS DNS record so that the server can query the DNS to fetch the policy file during email transfer

5. Activate MTA-STS and TLS-RPT

Finally, you need to publish your MTA-STS and TLS-RPT DNS records in your domain’s DNS, using TXT as the resource type, placed on two separate subdomains (_smtp._tls and _mta-sts). This will allow only TLS encrypted messages to reach your inbox, that are verified and untampered. Furthermore, you will receive daily reports on delivery and encryption issues on an email address or web server configured by you, from external servers.  

You can verify the validity of your DNS records by performing an MTA-STS record lookup after your record is published and live.  

Note: On every occasion that you make alterations to the contents of your MTA-STS policy files, you must update it both on the public web server you are hosting your file on, as well as the DNS entry that contains your policy URL. The same holds true for every time you update or add to your domains or servers. 

How can Hosted MTA-STS Services Help in Resolving “MTA-STS Policy is Missing”?

Manual implementation of MTA-STS can be arduous and challenging and leave room for errors. PowerDMARC’s hosted MTA-STS services help catapult the process for domain owners, making protocol deployment effortless and speedy. You can: 

  • Publish your CNAME records for MTA-STS with a few clicks
  • Outsource the hard work involved in maintaining and hosting MTA-STS policy files and web servers
  • Change your policy mode whenever you wish to, directly from your custom-tailored dashboard, without having to access your DNS
  • We display SMTP TLS report JSON files in an organized and human-readable format that is convenient and comprehensible for technical and non-technical people alike

The best thing? We are RFC-compliant and support the latest TLS standards. This helps you get started with error-free MTA-STS configuration for your domain, and enjoy its benefits while leaving the hassles and complexities for us to handle on your behalf! 

Hope this article helped you get rid of the “MTA-STS policy is missing: STSFetchResult.NONE” prompt, and in configuring the protocols properly for your domain to mitigate the loopholes and challenges in SMTP security. 

Enable MTA-STS for your emails today by taking a free email authentication DMARC trial, to improve your defenses against MITM and other cyber eavesdropping attacks!

Enterprises and startups alike often prefer outsourcing their business and marketing emails. This involves third-party services which handle everything from list management to tracking events through to deliverability monitoring. But these third-party services also increase risk by opening up opportunities for malicious actors to impersonate brands via domain spoofing and deploying phishing attacks on unsuspecting receivers.

It has been reported that around one-third of all spam messages circulating on the internet contain business-related content. Businesses and organizations can fall victim to these messages if they fail to implement the appropriate safeguards, and the use of third-party vendors for sending email messages may be a significant contributing factor.

Integrating DMARC policies with all your third parties can help you prevent spoofing, phishing, and malware attacks that infiltrate your domain.

Why is it important to align your email sending sources?

Email is critical to the success of any business because it enables businesses to stay in contact with their customers and prospects. It is widely used as a primary means of communication and market research, and its importance will only increase as time progresses. Whatever email vendor you use to send your emails, be sure to check whether they support sending DMARC compliant emails on your behalf. 

DMARC is an email security protocol to help prevent phishing attacks, domain spoofing, and BEC. But to be truly effective, a company needs to work closely with all its third parties, so that all emails are DMARC compliant.

Making Your Third-party Vendors DMARC-Compliant

To establish an effective DMARC policy, you should contact your third-party providers to work together with you on the best way to handle email that fails validation. It can prove to be beneficial to explain the advantages of DMARC, answer questions about how it works, and recommend solutions that will help them to fully implement DMARC.

Each third party is different, with its own SPF and DKIM setup process that you’ll need to plan for. To determine the best strategy, you need to be aware of how each partner sends email marketing campaigns, in addition to their technical tracking abilities, reporting features, and integration capabilities. While the process might seem cumbersome and tedious, there are a few easy ways you can speed things up from your side:

  • You can set up a custom subdomain for each of your email vendors and let them handle SPF and DKIM authentication for that domain. In this case, the email vendor uses their mail server to send your emails. The vendor publishes their SPF and DKIM records in the DNS of your subdomain. If you don’t configure a separate DMARC policy for this consigned subdomain, the DMARC policy for your main domain gets automatically levied on your subdomain.
  • Alternatively, the third-party vendor can use your mail servers while sending emails to your clients from your domain. This by default ensures that if you have a DMARC policy for your domain in place, the outgoing emails would be automatically DMARC-compliant. Make sure you update your SPF and DKIM records to include the said third parties to ensure that they are enlisted as an authorized sending source. 

Setting Up SPF, DKIM, and DMARC records for your third-party vendors

  • Make sure you are updating your existing SPF record to include these email sending sources. For example, if you use MailChimp as an email vendor to send marketing emails on behalf of your organization, you need to update your existing SPF record or create a new record (in case you don’t have one in place) that includes MailChimp as an authorized sender. This can be done by either adding an include: mechanism or specific IP addresses used by the vendor while sending your emails.
  • Next, you would need to request your vendor to generate a DKIM key pair for your custom domain. They would use the private key to sign your emails while sending them, and the public key needs to be published by you on your public-facing DNS. The private key is matched against the public key in your DNS by your receivers, during verification.

You can read our email authentication knowledgebase articles to get easy-to-follow, step-by-step instructions on how to set up DMARC, SPF, and DKIM for various third-party vendors that you might be using. 

At PowerDMARC, we provide solutions for DMARC deployment and monitoring to help you ensure maximum DMARC compliance. We provide scalable DMARC monitoring solutions with the most in-depth capabilities on the market to help you manage your sending practices in coordination with your vendors’ sending practices. 

With our resources and expertise, we can take the guesswork out of DMARC compliance while delivering analytical reports that identify those that are and those that are not compliant. Sign up for your free DMARC trial today! 

Email is one of the most effective tools for getting your message out, whether it’s for marketing or business use. However, it also presents security threats if you’re not protecting against them. DMARC helps solve this problem by giving you full control of all email that uses your domain name. DMARC is a massive step towards ensuring honest emails stay honest, and malicious emails are protected from reaching inboxes. PowerDMARC has always believed in this mission and has worked hard to make sure the DMARC spec is followed across our entire ecosystem.

Why is Your Email Unsafe?

Email spoofing occurs when an attacker forges the “From” address to make a mail look like it is coming from an authorized, legitimate source. The term can refer to both email clients and server attacks. Spoofing the email client refers to forging the “From”, “To” and/or “Subject” address of mail that originates from a specific client. Spoofing the server refers to forging these addresses in messages that originate from a specific server. 

Email spoofing is a serious issue, especially if you are running a legitimate website that has an email signup form. Because email addresses are often the main target of spammers using email spoofing techniques, your email list can quickly become compromised. This will cause major headaches down the road when you need to disable the registration forms or have to manually unsubscribe members from each of your newsletters or other lists.

How can DMARC help?

A DMARC policy allows you to take control over email spoofing, phishing, and other forms of email and domain abuse. Used in combination with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), this powerful mechanism makes it much harder for cybercriminals to send email using your domain name without your permission.

If you don’t have a DMARC record in place, we recommend you use our free DMARC record generator tool to create a custom-tailored TXT record for your domain and implement the protocol. Remember to shift to a DMARC reject policy to gain protection against impersonation threats.

Track Your Email Flow for Consistent Deliverability

If you want to stay abreast of your attackers, you need to avail yourself of the benefits of DMARC report today! It provides you with a wealth of information regarding your email sending sources and failed delivery attempts. You can leverage the information to respond to threats faster, as well as monitor your emails’ performances to ensure consistency in deliverability. 

To maintain the email security health of your domain, it is imperative that your authentication protocols are free from any syntactical or configuration errors. Conduct a DMARC check from time to time to ensure that your DMARC record is functioning properly.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a standard designed to align Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) message authentication methods for authenticating an email sender’s domain name. It provides a consistent framework for authors, operators, and consumers of these email authentication mechanisms to work together in reducing email spam. A DMARC analyzer helps you to detect when an unauthorized third party is misusing your domain, either by spoofing legitimate email or conducting phishing campaigns.

In terms of advantages, DMARC has a little something to offer for the sender as well as the receiver of the emails. Let’s find out what they are:

Advantages for Email Senders

Enhanced Email Deliverability

One of the primary advantages that email authentication protocols like DMARC present to domain owners (email senders) is an improved email deliverability rate. DMARC ensures that your sender’s legitimate emails do not get unnecessarily marked as spam or blocked out of the receiver’s inbox. This provides a better chance of your marketing emails being read, enabling your potential customers to notice you more.

Reduced Impersonation Threats

Impersonation attacks are very common for online businesses, whether you are an established enterprise or a startup venture. It can leave a lasting impression upon your customers, impact your brand’s credibility and lead to the loss of clients. DMARC protects your brand name from being used for malicious purposes, by the process of identity verification. This sustains your goodwill and reputation in the long run.

DMARC Reporting and Monitoring

Apart from identity protection, DMARC also tenders to a reporting mechanism that helps domain owners stay abreast of any impersonation attempts made on their domain. They can keep track of emails failing to get delivered due to failures in authentication checks, allowing them to cut down on their threat-response time. All they need to do is configure a DMARC report analyzer to view their reports easily across a single pane of glass.

Advantages for Email Receivers

Protection against Phishing Attacks

DMARC isn’t just a safety batch for the sender of the email, but also the receiver. We already know that a spoofing attack usually ends with phishing. The receiver of a fake email is at a high risk of falling prey to phishing attacks that aim to steal their banking credentials, and/or other sensitive information. DMARC helps reduce the risk of email phishing drastically.

Protection Against Ransomware

Sometimes fake emails contain links to download ransomware into the receiver’s system. This can lead to email receivers being held hostage at the mercy of threat actors who ask for hefty ransoms. When the receiver is an employee of the impersonated organization, the stakes for the company are even higher. DMARC acts as a primary line of defense against ransomware, preventing email receivers from being held hostage.

Promotes a Safe Email Experience

DMARC helps promote a safe email experience for the sender and receiver alike. It helps both parties engage in a lucid and unhindered exchange of information without the fear of being tricked or impersonated by cyberattackers.

To avail of DMARC services, get your free DMARC trial today!

 

We are here to once and for all clarify one of the most common concerns raised by domain owners. Will a DMARC reject policy hurt your email deliverability? Long answer short: No. A DMARC reject policy can only harm your email deliverability when you have configured DMARC incorrectly for your domain, or have taken an enforced DMARC policy too casually so as not to enable DMARC reporting for your domain. Ideally, DMARC is designed to improve your email deliverability rates over time.

What is a DMARC Reject Policy?

A DMARC reject policy is a state of maximum DMARC enforcement. This means that if an email is sent from a source that fails DMARC authentication, that email would be rejected by the receiver’s server and would not be delivered to him. A DMARC reject policy is beneficial for organizations as it helps domain owners put an end to phishing attacks, direct-domain spoofing, and business email compromise.

When should you configure this policy?

As DMARC experts, PowerDMARC recommends that while you are an email authentication novice, DMARC at monitoring only is the best option for you. This would help you get comfortable with protocol while keeping track of your email’s performance and deliverability. Learn how you can monitor your domains easily in the next section.

When you are confident enough to adopt a stricter policy, you can then set up your domain with p=reject/quarantine. As a DMARC user, your main agenda should be to stop attackers from successfully impersonating you and tricking your clients, which cannot be achieved with a “none policy”. Enforcing your policy is imperative to gain protection against attackers.

Where can you go wrong?

DMARC builds on protocols like SPF and DKIM which have to be preconfigured for the former to function correctly.  An SPF DNS record stores a list of authorized IP addresses that are allowed to send emails on your behalf. Domain owners can mistakenly miss out on registering a sending domain as an authorized sender for SPF. This is a relatively common phenomenon among organizations using several third-party email vendors. This can lead to SPF failure for that particular domain. Other mistakes include errors in your DNS records and protocol configurations. All of this can be avoided by availing of hosted email authentication services.

How to Monitor Your Emails with a DMARC Report Analyzer

A DMARC report analyzer is an all-in-one tool that helps you monitor your domains across a single interface. This can benefit your organization in more ways than one:

  • Gain complete visibility and clarity on your email flow
  • Shift to a reject policy without the fear of deliverability issues
  • Read DMARC XML reports in a simplified and human-readable format
  • Made changes to your DNS records in real-time using actionable buttons without accessing your DNS

Configure DMARC safely and correctly at your organization using a DMARC analyzer today, and permanently eliminate all fears pertaining to deliverability issues!