MTA-STS glossary

What is the mta-sts.txt policy file and where does it live?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

mta-sts.txt is the file that holds your actual MTA-STS policy. It's plain text, served at https://mta-sts.<domain>/.well-known/mta-sts.txt with a certificate valid for the mta-sts hostname, and contains four fields: version, mode, one or more mx lines, and max_age. The DNS record only points here — this file is the policy.

mta-sts.txt at a glance
Tagmta-sts.txt (policy file)
Valid valuesKey/value lines: version: STSv1 · mode · mx (one line per allowed MX pattern) · max_age
DefaultRequired — MTA-STS does nothing without it; the DNS record only announces that this file exists.
Where it goesServed over HTTPS at https://mta-sts.<domain>/.well-known/mta-sts.txt — directly, not via redirect

How mta-sts.txt works

MTA-STS announces itself in DNS but delivers its rules over HTTPS, and this file is where they live. The format is deliberately simple plain text: version: STSv1, a mode, one mx line per allowed MX pattern, and a max_age. Wildcards covering one leftmost label are allowed in mx patterns — *.mail.protection.outlook.com is the standard way Microsoft 365 domains match their per-tenant MX host.

The certificate requirement is the whole trick. Serving the policy over HTTPS with a valid certificate for mta-sts.<domain> is what makes it trustworthy where plain DNS is not — so an expired certificate, or one that doesn't cover the mta-sts hostname, makes the file worthless to senders no matter how correct its contents are.

In practice, MTA-STS failures are almost always the hosting, not the syntax: the mta-sts subdomain was never created, the certificate lapsed at renewal, or the web server answers with a redirect or an HTML error page instead of the plain-text file. MTA-STS is the rare email standard whose maintenance burden is a web-hosting problem — and it quietly rots the day a certificate renewal is missed.

Correct record vs common mistake

Correct

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 1209600

A complete Microsoft 365 policy — the wildcard matches the tenant's MX host, and the file is served with a valid certificate for mta-sts.yourdomain.com.

Common mistake

https://yourdomain.com/.well-known/mta-sts.txt

Wrong host. The file must be served from the mta-sts subdomain — https://mta-sts.yourdomain.com/.well-known/mta-sts.txt — with a certificate for that exact hostname, and redirects don't count.

Troubleshooting mta-sts.txt

IssueLikely causeFix
Policy fetch fails outrightThe mta-sts.<domain> subdomain was never created or doesn't resolveAdd DNS for mta-sts.<domain> pointing at a host that can serve the file over HTTPS
Certificate errors on fetchCertificate expired, or doesn't cover the mta-sts.<domain> hostnameIssue or renew a certificate for that exact hostname (a *.yourdomain.com wildcard also covers it) — and automate the renewal
File loads in a browser but senders reject itServed via a redirect, or as an HTML page instead of plain textServe it directly at the well-known path — status 200, plain text, no redirects

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Every client domain needs its own mta-sts subdomain, its own valid certificate, and its own correctly served file — forever. Across 50–200 tenants that's a fleet of tiny websites that must never break, and one lapsed certificate renewal silently kills MTA-STS for that client: no bounce, no alert, nothing.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

This is where Palisade differs from every checker on the market: it **hosts the policy file for you** — the `mta-sts` subdomain, the certificate, the renewals, the correct headers — for every client domain. Most vendors tell you the file is broken; Palisade makes sure it never is, so MTA-STS doesn't die of certificate rot.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

At https://mta-sts.<domain>/.well-known/mta-sts.txt — the mta-sts subdomain (not the apex) and that exact well-known path, served directly with no redirects.

Yes — a valid, unexpired certificate covering mta-sts.<domain>. A *.yourdomain.com wildcard certificate covers it too. An invalid certificate makes the whole policy unusable to senders.

Yes — a leading *. matches one leftmost label, so *.mail.protection.outlook.com matches tenant.mail.protection.outlook.com. That's the standard pattern for Microsoft 365 domains.

Almost always hosting: the mta-sts subdomain doesn't resolve, the certificate is invalid or expired, the server answers with a redirect, or it returns an HTML page instead of plain text.

Senders holding a cached policy keep using it until their cache expires; new senders can't discover your policy at all. Either way you're on borrowed time — fix the hosting.

Related terms

What is MTA-STS? SMTP security policy explained