MTA-STS Hosting: Where to Host the Policy File

The Hosting Requirement

MTA-STS needs two things:

1. A DNS TXT record at _mta-sts.yourdomain.com
2. A policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

The second part is the hosting challenge. You need a web server responding to HTTPS requests on the mta-sts subdomain. The file is about 100 bytes — this isn't a performance problem, it's a logistics problem.

Option 1: Your Existing Web Server

If you run a web server, add a virtual host or server block for mta-sts.yourdomain.com:

Nginx example:

server {
    listen 443 ssl;
    server_name mta-sts.yourdomain.com;
    
    location /.well-known/mta-sts.txt {
        return 200 "version: STSv1\nmode: enforce\nmx: mail.yourdomain.com\nmax_age: 604800\n";
        add_header Content-Type text/plain;
    }
}

Pros: No additional services. Cons: Another subdomain to maintain TLS certificates for.

Option 2: GitHub Pages (Free)

1. Create a repository named mta-sts
2. Add .well-known/mta-sts.txt with your policy
3. Enable GitHub Pages
4. Add a CNAME record: mta-sts.yourdomain.com pointing to yourusername.github.io
5. GitHub handles HTTPS automatically

This is the most common free solution.

Option 3: Cloudflare Workers

Create a Worker that returns your policy:

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const url = new URL(request.url)
  if (url.pathname === '/.well-known/mta-sts.txt') {
    return new Response(
      `version: STSv1\nmode: enforce\nmx: mail.yourdomain.com\nmax_age: 604800`,
      { headers: { 'Content-Type': 'text/plain' } }
    )
  }
  return new Response('Not found', { status: 404 })
}

Route mta-sts.yourdomain.com/* to the Worker. The free tier handles this easily.

Practitioner note: Cloudflare Workers is my go-to for MTA-STS hosting. Zero maintenance, global CDN, automatic HTTPS, and the free tier is more than enough. Set it up once and forget about it.

Option 4: Static Hosting (Netlify, Vercel)

Deploy a static site with just the policy file. Both Netlify and Vercel offer free tiers, custom domains, and automatic HTTPS.

Option 5: Managed Services

Services like EasyDMARC, dmarcian, and Hardenize offer managed MTA-STS hosting. They handle the subdomain, HTTPS, and policy file for you. Useful if you're already using their DMARC monitoring.

Important: HTTPS Certificate Requirements

The SSL/TLS certificate for mta-sts.yourdomain.com must be valid. Sending servers will reject the policy if the certificate is expired, self-signed, or doesn't match the hostname. Use Let's Encrypt or your hosting provider's automatic certificates.

Practitioner note: The most common MTA-STS failure I see is an expired certificate on the mta-sts subdomain. People set it up, forget about it, and the cert expires. Use a hosting solution with automatic renewal.

DNS Setup

Alongside your hosting, add the DNS TXT record:

Type: TXT
Host: _mta-sts
Value: v=STSv1; id=20260401

And the CNAME or A record for the mta-sts subdomain pointing to your chosen hosting.

For a complete MTA-STS deployment including hosting, TLS-RPT monitoring, and enforcement decisions, reach out for a consultation.

Sources

• RFC 8461: SMTP MTA Strict Transport Security
• Cloudflare: Workers Documentation
• GitHub: GitHub Pages Custom Domains

---

v1.0 · April 2026