/flexable-business-solutions-8314/images/image-l3cda.png)
Free IT Review
Your email’s working fine right? Well, yes, it probably is on the surface, but you may have some unknown issues lurking under the surface – for example unbeknown to you, your mails may be getting marked as spam, put in top junk folders or worse still just being dropped.
Back in the day we all ran our own email servers on premise or if you were loaded with cash in a co-lo or hosted environment, and it was yours. Probably an early version of Microsoft Exchange or Unix Mail. There were issues like open relays and DOS attacks. These issues are mostly solved now with cloud services – but and they say, one door closes and another opens. Today’s hackers use phishing to con users, and good email security can help you to stop some of these threats (not all -0 your users always need to be wary).
We believe every email admin has a responsibility to secure their system as best as possible – there are some basic DNS setup pre-requisites that you should follow before setting up MTA-STS:
Once you have these in place (there are plenty of guides on the internet, and if you use Google Workspace / Gmail or Office365 as your email provider, there are guided walkthroughs on their platforms.
Pro Tip: You can validate your records with tools like MailHardener
Note: If you are running a Hybrid Email environment it gets a bit more complicated and you may want to reach out to us for a free email review where we can help you set these up as an outcome.
Google ands Yahoo have announced that in February 2024 they will be starting to reject email servers that don’t present with correct DMARC and DKIM records among other things for those who send a lot of mails – read the Google blog post HERE. In a nut shell if you want to ensure your email is getting through, follow the rules - and make yourself more secure in the process.
Right then, you've got your basic DNS records in place – what the hell is MTA-STS and why do you want it?
In layman’s terms, MTA-STS is some more DNS that provides a secure policy for email server data interchange. There are many ways to achieve this, in fact you can even buy a service that sets up and hosts if for you HERE (along with a full explanation of the protocol) but in reality it boils down to a few simple things:
1. 3 DNS records
2 TXT records and a CNAME
2. A static HTTPS website that hosts the policy (SSL is a hard requirement)
This is hosted by a free Cloudflare worker with a route to redirect your domain to it
3. I would love to say there is more but that’s really it.
There are a lot of articles out there on how to achieve it – and for our production domains we use Azure serverless, because well, Microsoft gives us free resources as a partner. But, for most people/smaller organisations, there is a super simple and FREE way to achieve this.
For the purposes of this article we are going to show you how to setup MTA-STS for your domain for free using Cloudflare. If you are not aware of Cloudflare, they are huge in internet security – if you don’t already I recommend using their public DNS servers as your external DNS – 1.1.1.1
But I digress, today we are talking about MTA-STS only. So here is what you need to do:
1. Setup a free Cloudflare account, validate your email, and login
a. There are a load of free feature you get – but that’s for another day!
2. (Optional) Move your entire public
DNS (e.g. EXAMPLE.COM) to Cloudflare
Note - if you choose not to do this you can do some clever conditional DNS forwarding from your existing provider, or just add the 3 records into your own DNS provider. Note I see no reason why this would not work, but we didn't test it out. Let us know in the comments if you try it and it works or not!
a. Create a site - TEST.COM is what we will be using for the demo
b. Open the DNS editor and add your required records for normal operation
3. Setup MTA-STS
a. Create 2 TXT Records:
i. Record: _mta-sts value: v=STSv1; id=number;
Purpose: This sets the STS version – ID is any number
but I use date/time to know whan it was last updated
ii.
Record: _smtp._tls
value: v=TLSRPTv1; rua=mailto:[email protected]
Purpose: This sets the reporting so that you can check on errors after setup
b. Create a worker in Cloudflare:
i. Open websites | EXAMPLE.COM | Workers Routes | Manage Workers
ii. Click Create Application | Create Worker |Deploy
iii. Select your new worker (with some random name like failing-moon-67fe)
iv. Select Quick Edit so you can add the code below:
const mode = 'testing';
// const mode = 'enforce';
const max_age = 604800; // 1 week
const mx_list = [
'aspmx.l.google.com',
'alt1.aspmx.l.google.com',
'alt2.aspmx.l.google.com',
'alt3.aspmx.l.google.com',
'alt4.aspmx.l.google.com'
];
const sts = `version: STSv1
mode: ${mode}
${mx_list.map(i=> 'mx: '+i).join('\n')}
max_age: ${max_age}`;
addEventListener('fetch', evt=> {
return evt.respondWith(new Response(sts));
});
Notes: This is configured for GMAIL – if you use another provider you will need to update the MX_LIST values accordingly
Mode: this is set to testing – you should run in this mode for a few weeks to check you are not getting errors to your reporting email. Once you are happy, update this to ‘enforce’
v. Click Save and deploy
vi. Select Routes | Add Route
vii. Route: https://mta-sts.eample.com/* Zone: EXAMPLE.COM | Select your worker from step iii
viii. Click Save
c. Create the CNAME DNS Record
i. Open Websites | Select EXAMPLE.COM | DNS
ii. Add Record | Type: CNAME Name: mta-sts | Value: workerFQDN
Note: Remove the https:// prefix and the / suffix or it won’t save
d. That’s it – your MTA-STS setup is complete!!
Now you just need to head over to MailHardener, select MTA-STS Validator and check the results.
Note: We had an issue where we were getting a 522 error returned from the server for the favicon GET – if you see this error/policy cannot be retrieved, then check that your worker route is set correctly. You may be able to see the policy in a browser but the validation tool will still fail in this case.