MTA-STS glossary
What is the mta-sts.txt policy file and where does it live?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
mta-sts.txt is the file that holds your actual MTA-STS policy. It's plain text, served at https://mta-sts.<domain>/.well-known/mta-sts.txt with a certificate valid for the mta-sts hostname, and contains four fields: version, mode, one or more mx lines, and max_age. The DNS record only points here — this file is the policy.
mta-sts.txt at a glance | |
|---|---|
| Tag | mta-sts.txt (policy file) |
| Valid values | Key/value lines: version: STSv1 · mode · mx (one line per allowed MX pattern) · max_age |
| Default | Required — MTA-STS does nothing without it; the DNS record only announces that this file exists. |
| Where it goes | Served over HTTPS at https://mta-sts.<domain>/.well-known/mta-sts.txt — directly, not via redirect |
How mta-sts.txt works
MTA-STS announces itself in DNS but delivers its rules over HTTPS, and this file is where they live. The format is deliberately simple plain text: version: STSv1, a mode, one mx line per allowed MX pattern, and a max_age. Wildcards covering one leftmost label are allowed in mx patterns — *.mail.protection.outlook.com is the standard way Microsoft 365 domains match their per-tenant MX host.
The certificate requirement is the whole trick. Serving the policy over HTTPS with a valid certificate for mta-sts.<domain> is what makes it trustworthy where plain DNS is not — so an expired certificate, or one that doesn't cover the mta-sts hostname, makes the file worthless to senders no matter how correct its contents are.
In practice, MTA-STS failures are almost always the hosting, not the syntax: the mta-sts subdomain was never created, the certificate lapsed at renewal, or the web server answers with a redirect or an HTML error page instead of the plain-text file. MTA-STS is the rare email standard whose maintenance burden is a web-hosting problem — and it quietly rots the day a certificate renewal is missed.
Correct record vs common mistake
Correct
version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 1209600A complete Microsoft 365 policy — the wildcard matches the tenant's MX host, and the file is served with a valid certificate for mta-sts.yourdomain.com.
Common mistake
https://yourdomain.com/.well-known/mta-sts.txtWrong host. The file must be served from the mta-sts subdomain — https://mta-sts.yourdomain.com/.well-known/mta-sts.txt — with a certificate for that exact hostname, and redirects don't count.
Troubleshooting mta-sts.txt
| Issue | Likely cause | Fix |
|---|---|---|
| Policy fetch fails outright | The mta-sts.<domain> subdomain was never created or doesn't resolve | Add DNS for mta-sts.<domain> pointing at a host that can serve the file over HTTPS |
| Certificate errors on fetch | Certificate expired, or doesn't cover the mta-sts.<domain> hostname | Issue or renew a certificate for that exact hostname (a *.yourdomain.com wildcard also covers it) — and automate the renewal |
| File loads in a browser but senders reject it | Served via a redirect, or as an HTML page instead of plain text | Serve it directly at the well-known path — status 200, plain text, no redirects |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
Every client domain needs its own mta-sts subdomain, its own valid certificate, and its own correctly served file — forever. Across 50–200 tenants that's a fleet of tiny websites that must never break, and one lapsed certificate renewal silently kills MTA-STS for that client: no bounce, no alert, nothing.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
This is where Palisade differs from every checker on the market: it **hosts the policy file for you** — the `mta-sts` subdomain, the certificate, the renewals, the correct headers — for every client domain. Most vendors tell you the file is broken; Palisade makes sure it never is, so MTA-STS doesn't die of certificate rot.
Free 15-day trial · No credit card · Your own domain free forever (NFR)