MTA-STS glossary

What does max_age mean in an MTA-STS policy?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

max_age sets how long, in seconds, a sending server may cache your MTA-STS policy — up to a maximum of 31557600, about one year. The cached copy is what protects you between fetches: even if an attacker suppresses your DNS record, senders keep enforcing the policy they already hold until it expires.

max_age at a glance
Tagmax_age
Valid valuesNon-negative integer seconds, maximum 31557600 (about one year)
DefaultRequired — every MTA-STS policy file must set max_age.
Where it goesOne key/value line in the mta-sts.txt policy file, e.g. max_age: 1209600

How max_age works

When a sender fetches your policy file, it may cache the result for up to max_age seconds. On later deliveries it checks the cheap DNS record at _mta-sts.<domain>: if the id matches what it cached, it uses the cached policy without refetching the file over HTTPS.

That cache is the security, not just an optimisation. MTA-STS's weak point is discovery — an attacker who can suppress or block your DNS record could make your domain look like it has no policy at all. But a sender holding a cached policy keeps enforcing it until the cache expires, DNS attack or not. That's why RFC 8461 recommends lifetimes of weeks or longer once your setup is stable: a long cache is a long window in which you can't be downgraded.

The standard pattern: short max_age (a day or so) during rollout so mistakes age out fast, then weeks or more at steady state. And remember the companion rule — a long max_age doesn't slow your updates, because changing the policy just requires bumping the DNS id. Forget the id bump, though, and senders won't refetch until the cache expires, however long that is.

Correct record vs common mistake

Correct

version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 2419200

Four weeks of cache at steady state — senders keep enforcing your policy even if your DNS record is suppressed in the meantime.

Common mistake

version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 300

Five minutes of cache in production leaves almost no downgrade protection — an attacker who can interfere with your DNS only ever has to wait minutes for sender caches to empty.

Troubleshooting max_age

IssueLikely causeFix
Policy update not taking effectSenders are inside their cache window and the DNS id wasn't bumpedChange the id in the _mta-sts TXT record — cached senders refetch on their next check
max_age still at the short rollout value months laterNobody moved the domain to steady state after go-liveRaise it to weeks (1209600 or more) once your TLS-RPT reports are clean
Policy rejected by validatorsmax_age missing, non-numeric, or above 31557600Set a plain integer number of seconds, at or below 31557600

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Cache lifetimes are where a hand-managed fleet drifts: some client domains left on the 24-hour rollout value with barely any downgrade protection, others set long with nobody bumping ids on changes. Across 50–200 tenants you end up unable to say when any policy change actually takes effect — or which domains are quietly running stale rules.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade hosts the policy file for every client domain and manages the cache lifecycle for you — a short `max_age` during rollout, weeks at steady state, and an automatic `id` bump on every change so updates land immediately instead of waiting out the cache.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

A day or so during rollout, so mistakes age out quickly; weeks or longer once the setup is stable. RFC 8461 favours long lifetimes because the cached policy is your protection against DNS-level downgrade attacks.

31557600 seconds — about one year. Anything above that is invalid per RFC 8461.

No. Senders recheck the DNS record and refetch the policy as soon as the id changes. A long max_age only pins the old policy if you forget to bump the id when you change the file.

Because the cache is the security. With a tiny max_age, senders hold your policy only briefly — an attacker who can interfere with your DNS gets a fresh downgrade window every few minutes.

Related terms

What is MTA-STS? SMTP security policy explained