I'm setting up MTA-STS for various domains and I'm curious about how to properly host the mta-sts.txt file. It needs to be available at https://mta-sts.domainname.com/.well-known/mta-sts.txt, but I'm worried about potential issues if the website hosting goes down. Would that affect our email delivery? I'm concerned that if something goes wrong—like an SSL renewal issue or a developer messing with the site—emails might not get through. Am I overthinking this? What are the best practices for ensuring this doesn't happen?
3 Answers
MTA-STS is designed not to block email if the HTTPS endpoint isn't reachable. According to RFC 8461, if the policy can't be fetched, it acts as if it's not implemented, allowing mail delivery to continue. Once the policy is pulled, it's cached for the duration you've set. It’s fine to host it with your main site, but having it hosted separately gives you more resilience. Here’s a good resource on it: https://www.uriports.com/blog/hosted-mta-sts/
We've been using URIports for hosted MTA-STS. It's a solid option, and their pricing is transparent and affordable. Just a heads up, as an MSP, getting approval for all clients might be tricky, but you might be able to pitch it to larger customers!
I recommend hosting the mta-sts.domain.com file separately from your main website. This way, if the website goes down, your email service stays stable. Consider using a minimal server or a cloud service that can handle automatic SSL renewals—it's a good way to add an extra layer of reliability!
That looks really nice! But convincing clients could be a challenge for smaller accounts.