MTA-STS Provisioning
Provision a per-domain MTA-STS policy host with an automatic Let's Encrypt certificate so senders enforcing MTA-STS (Gmail, Outlook) accept your mail without deferring or bouncing.
MTA-STS (RFC 8461) tells sending mail servers that your domain requires TLS for incoming SMTP and pins which hostnames are valid. Senders that enforce it - notably Gmail and Outlook - check your published policy before delivery. If the policy is missing or invalid, those senders can defer or bounce your mail.
CeyMail provisions everything MTA-STS needs in one click: a per-domain virtual host serving /.well-known/mta-sts.txt, an automatically issued and renewed Let's Encrypt certificate, and live health checks that confirm the policy is being served correctly.
Pro feature
MTA-STS provisioning is available on the Pro plan and above.
How it works
MTA-STS has two halves: DNS records that announce the policy and a HTTPS endpoint that serves it. CeyMail handles the HTTPS half for you and tells you exactly what DNS records to add.
- CeyMail generates the three DNS records your domain needs (policy ID, policy host, and TLS reporting).
- You publish them at your DNS provider.
- You click Enable, and CeyMail provisions a per-domain virtual host at
mta-sts.{domain}, requests a Let's Encrypt certificate over HTTP-01, and starts serving the policy file at/.well-known/mta-sts.txt. - Senders enforcing MTA-STS fetch the policy, validate it against DNS, and require TLS for delivery to your domain.
DNS records
Before enabling provisioning, publish these three records at your DNS provider. The DNS Records page shows the exact values for each domain.
| Record | Name | Purpose |
|---|---|---|
| TXT | _mta-sts.{domain} | Policy ID - changes whenever the policy changes, signalling senders to refetch |
| A | mta-sts.{domain} | Points the policy host to your server's IP so the HTTPS endpoint resolves |
| TXT | _smtp._tls.{domain} | TLS reporting (TLSRPT) - receives reports about TLS negotiation failures |
Enabling provisioning
Once the DNS records are published:
- Navigate to the MTA-STS card on the domain's settings page.
- Click Enable.
- CeyMail creates a virtual host for
mta-sts.{domain}, requests a Let's Encrypt certificate over HTTP-01, and begins serving/.well-known/mta-sts.txt. - The card switches to Active and runs the four readiness checks below.
DNS first
The Let's Encrypt HTTP-01 challenge requires mta-sts.{domain} to resolve to your server's public IP before the certificate can be issued. Wait for DNS to propagate before clicking Enable.
Readiness checks
While provisioning is Active, the card runs four live checks against the policy host. All four must pass for senders to accept your policy:
| Check | What it verifies |
|---|---|
| DNS resolves to this server | mta-sts.{domain} points to your server's public IP |
| HTTPS policy endpoint reachable | https://mta-sts.{domain}/.well-known/mta-sts.txt responds on port 443 |
| Certificate valid | The Let's Encrypt cert is current; expiry date shown alongside |
| Policy ID in DNS matches server | The id= value in the _mta-sts.{domain} TXT record matches the policy file on disk |
If any check fails, the card shows which one and why so you can fix it without digging through logs.
Certificate renewal
Let's Encrypt certificates are valid for 90 days. CeyMail renews them automatically before expiry through the same ACME client used elsewhere on the server - no manual action required. The expiry date on the card always reflects the currently installed certificate.
Disabling provisioning
Click Disable to stop serving the policy host for the domain. The virtual host is removed, the certificate is left in place for the remainder of its validity, and senders will fall back to opportunistic TLS once the cached policy expires.
Remove DNS records too
After disabling, also remove the _mta-sts.{domain} and mta-sts.{domain} records at your DNS provider. Leaving the policy ID record published while no policy is being served can cause strict senders to bounce mail.
Why it matters
Gmail and Outlook both enforce MTA-STS for domains that publish a policy. A misconfigured or unreachable policy host is treated as a security failure, not a soft warning - mail can be deferred or bounced outright. CeyMail's provisioning eliminates the manual vhost, certificate, and renewal work that usually trips this up, and the readiness checks make breakage obvious before it affects deliverability.