PowerDMARC

How to Fix “MTA-STS Policy is Missing”?

How to Fix MTA STS Policy is Missing 2

How to Fix MTA STS Policy is Missing 2

In case you have come across the “MTA-STS policy is missing: STSFetchResult.NONE ” command while using online tools, you have come to the right place. Today we are going to discuss how to fix this error message and get rid of it by incorporating an MTA-STS policy for your domain. 

Simple Mail Transfer Protocol, aka SMTP, is the standard email transfer protocol used by a majority of email service providers. It isn’t an alien concept that SMTP has been facing security challenges since the dawn of time, challenges that they haven’t been able to come up with as of yet. This is because, in order to make the emails backward compatible, SMTP introduced opportunistic encryption in the form of a STARTTLS command.  This essentially means, in case an encrypted connection cannot be negotiated between two communicating SMTP servers, the connection gets rolled back to an unencrypted one, and messages are sent in cleartext. 

This makes emails transferred via SMTP vulnerable to pervasive monitoring and cyber eavesdropping attacks like Man-in-the-middle. This is risky for both the sender and the receiver and can lead to the breach of sensitive data. This is where MTA-STS swoops in and makes TLS encryption mandatory in SMTP to stop emails from being delivered over unsecured connections. 

What is an MTA-STS Policy?

In order to improve your SMTP email security and make the most out of authentication protocols like MTA-STS, the sending server should have support for the protocol and the email receiving server should have an MTA-STS policy defined in their DNS. An enforced policy mode is also encouraged to further amplify security standards. The MTA-STS policy defines the email servers using MTA-STS in the receiver’s domain. 

In order to enable MTA-STS for your domain as the email receiver, you need to host an MTA-STS policy file in your DNS. This allows external email senders to send emails to your domain that are authenticated and TLS encrypted with an updated version of TLS (1.2 or higher). 

Not having a published or updated policy file for your domain can be the primary reason for coming across error messages like “MTA-STS policy is missing: STSFetchResult.NONE”, implying that the sender’s server couldn’t fetch the MTA-STS policy file when it queried the receiver’s DNS, finding it to be missing.

Prerequisites for MTA-STS:

Email servers for which MTA-STS will be enabled should be using a TLS version of 1.2 or more, and should have TLS certificates in place that adhere to current RFC standards and specifications, are not expired, and server certificates that are signed by a trusted root certificate authority.

Steps to Fix “MTA-STS Policy is Missing”

1. Creating and publishing an MTA-STS DNS TXT record 

The first step is to create an MTA-STS record for your domain. You can create a record instantly using an MTA-STS record generator, providing you with a custom-tailored DNS record for your domain. 

2. Defining an MTA-STS policy mode

MTA-STS offers two policy modes for users to work with.

3. Creating the MTA-STS policy file

The next step is to host MTA-STS policy files for your domains. Note that while the contents of every file can be the same, it is mandatory to host policies separately for separate domains, and a single domain can have only a single MTA-STS policy file. Multiple MTA-STS policy files hosted for a single domain can lead to protocol misconfigurations. 

The standard format for an MTA-STS policy file is given below: 

File name: mta-sts.txt

Maximum file size: 64 KB

version: STSv1

mode: testing

mx: mail.yourdomain.com

mx: *.yourdomain.com

max_age: 806400 

Note: The policy file displayed above is simply an example.

4. Publishing Your MTA-STS policy file

Next, you have to publish your MTA-STS policy file on a public web server that is accessible to external servers. Make sure the server you host your file on supports HTTPS or SSL. The procedure for this is simple. Assuming that your domain is preconfigured with a public web server:

5. Activate MTA-STS and TLS-RPT

Finally, you need to publish your MTA-STS and TLS-RPT DNS records in your domain’s DNS, using TXT as the resource type, placed on two separate subdomains (_smtp._tls and _mta-sts). This will allow only TLS encrypted messages to reach your inbox, that are verified and untampered. Furthermore, you will receive daily reports on delivery and encryption issues on an email address or web server configured by you, from external servers.  

You can verify the validity of your DNS records by performing an MTA-STS record lookup after your record is published and live.  

Note: On every occasion that you make alterations to the contents of your MTA-STS policy files, you must update it both on the public web server you are hosting your file on, as well as the DNS entry that contains your policy URL. The same holds true for every time you update or add to your domains or servers. 

How can Hosted MTA-STS Services Help in Resolving “MTA-STS Policy is Missing”?

Manual implementation of MTA-STS can be arduous and challenging and leave room for errors. PowerDMARC’s hosted MTA-STS services help catapult the process for domain owners, making protocol deployment effortless and speedy. You can: 

The best thing? We are RFC-compliant and support the latest TLS standards. This helps you get started with error-free MTA-STS configuration for your domain, and enjoy its benefits while leaving the hassles and complexities for us to handle on your behalf! 

Hope this article helped you get rid of the “MTA-STS policy is missing: STSFetchResult.NONE” prompt, and in configuring the protocols properly for your domain to mitigate the loopholes and challenges in SMTP security. 

Enable MTA-STS for your emails today by taking a free email authentication DMARC trial, to improve your defenses against MITM and other cyber eavesdropping attacks!

Exit mobile version