Hi,
It would be good for Cloudflare to offer ease of MTA-STS configuration, this feature doesn’t really seem to be offered widely.
It would be very simple for Cloudflare to implement, as MTA-STS just requires DNS and a single file hosting with SSL. Both of which are offered by Cloudflare.
Cloudflare R2 should be able to just host and serve that single file.
Looking forward to it.
Thanks,
I use a Worker for my mta-sts file:
async function handleRequest(request) {
const init = {
headers: {
'content-type': 'text/plain;charset=UTF-8',
},
}
return new Response(someHTML, init)
}
addEventListener('fetch', event => {
return event.respondWith(handleRequest(event.request))
})
const someHTML = `version: STSv1
mode: enforce
mx: smtp.MAILHOST.com
max_age: 86400
`
oh nice!
Would be good for Cloudflare to offer it as an easy to configure option within Email Security though still! 
I use a Cloudflare Pages site to host my mta-sts. Just be aware that it is two DNS records and a single file.
I agree that having a one-click deployment of MTA-STS for sites using Cloudflare Email Forwarding would be nice.
No-click deployment of MTA DANE would be substantially better.
I think all the ingredients are there.
Would agree. It reminds me a bit on a few topics about a possible idea of having managed TLSA records with Cloudflare too …
That might have been my rant from a few days ago.
It would seem to an outsider like me that TLSA on isaac,linda and amir.mx.cloudflare.net would be trivial, and have more benefit than MTA-STS. And if Cloudflare don’t do it, nobody else can either.
On the TLSA records for Universal and ACM certs, again only Cloudflare can do this, and if they did, I’m sure that user-agents would suddenly have a reason to start supporting it. I’m not sure if there is a reason the browsers do not currently support TLSA validation.
This is very helpful. Thank you for posting.
Here’s a simple and easy to read version for Gmail.