MTA-STS glossary

What does v=STSv1 mean in an MTA-STS record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

v=STSv1 is the version tag of an MTA-STS DNS record — a TXT record published at _mta-sts.<domain> in the form v=STSv1; id=<token>. It announces that your domain has an MTA-STS policy; the actual rules live in an HTTPS policy file. The id is an opaque token senders cache — it must change whenever the policy file does.

v=STSv1 at a glance
Tagv (version)
Valid valuesSTSv1 — the only version defined by RFC 8461
DefaultRequired — a TXT record that doesn't start with v=STSv1 is not a valid MTA-STS record.
Where it goesFirst tag of the TXT record at _mta-sts.<domain>, e.g. v=STSv1; id=20260715120000

How v=STSv1 works

MTA-STS splits its configuration across DNS and HTTPS, and the TXT record at _mta-sts.<domain> is the DNS half. It's deliberately tiny — just v=STSv1 and an id — because its only job is to tell sending servers that a policy exists and to go fetch it over HTTPS. The rules themselves (mode, mx, max_age) live in the mta-sts.txt policy file.

The id is an opaque token — up to 32 letters and digits with no meaning of its own. Senders don't parse it; they compare it. A sender holding a cached copy of your policy checks this cheap DNS record on later deliveries: if the id matches the one it cached, it keeps using the cached policy without refetching the file.

That's why the one iron rule of this record is: change the id every time the policy file changes. Edit mta-sts.txt and leave the id alone, and senders will keep enforcing the old cached policy until their cache expires — which, with a well-chosen max_age, can be weeks away.

Correct record vs common mistake

Correct

v=STSv1; id=20260715T120000

A version tag and a fresh id — timestamps make good ids because every policy change gets an unambiguous new value.

Common mistake

v=STSv1; id=20250101T000000

The policy file changed but the id didn't. Senders compare the id against their cache, see no change, and keep enforcing the **old** policy until it expires.

Troubleshooting v=STSv1

IssueLikely causeFix
Senders still applying an old policymta-sts.txt was updated but the id in the DNS record wasn't changedBump the id to any new value (a timestamp works) every time the policy file changes
Policy not discovered at allTXT record published at the apex or under a mistyped namePublish it at exactly _mta-sts.<domain>, e.g. _mta-sts.yourdomain.com, and re-test
Record present but treated as invalidMultiple STSv1 TXT records left behind after a changeKeep exactly one — senders that find more than one treat the domain as having no valid record

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

The DNS-plus-HTTPS split doubles the surface for drift, and the stale-id mistake is invisible: the DNS record looks right, the policy file looks right, but half the internet is still enforcing last quarter's policy. Across 50–200 client domains, you lose the ability to say with confidence which policy any given tenant is actually running.

Trusted by MSPs

We increased our meetings booked by 21% and slept better at night knowing our emails are now secured
Marc-André CampagnaMarc-André Campagna CEO, gaiia (YC 2021)Read the case study →
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Palisade doesn't just check this record — it **hosts and automates** the whole MTA-STS setup: it publishes the DNS record, serves the policy file, and bumps the `id` automatically on every change, for every client domain. Most vendors only tell you when it's broken.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

An opaque string (up to 32 letters and digits) that senders cache to detect policy changes. Its format doesn't matter — timestamps are common — but it must change every time mta-sts.txt changes, or senders won't refetch.

As a TXT record at _mta-sts.<domain> — e.g. _mta-sts.yourdomain.com. Not at the apex, and not at mta-sts.<domain> (that hostname is where the policy file is served, which is a different thing).

No. It only announces that a policy exists. The actual rules — mode, allowed MX hosts, cache lifetime — live in the file at https://mta-sts.<domain>/.well-known/mta-sts.txt.

Yes. Senders with a cached policy only refetch when the id changes or their cache expires. Skip the id bump and your update silently waits out the full cache lifetime.

Related terms

What is MTA-STS? SMTP security policy explained