Email Security feature request: MTA-STS

Hi,

It would be good for Cloudflare to offer ease of MTA-STS configuration, this feature doesn’t really seem to be offered widely.

It would be very simple for Cloudflare to implement, as MTA-STS just requires DNS and a single file hosting with SSL. Both of which are offered by Cloudflare.

Cloudflare R2 should be able to just host and serve that single file.

Looking forward to it.

Thanks,

I use a Worker for my mta-sts file:

async function handleRequest(request) {
  const init = {
    headers: {
      'content-type': 'text/plain;charset=UTF-8',
    },
  }
  return new Response(someHTML, init)
}
addEventListener('fetch', event => {
  return event.respondWith(handleRequest(event.request))
})
const someHTML = `version: STSv1
mode: enforce
mx: smtp.MAILHOST.com
max_age: 86400
`
5 Likes

oh nice!

Would be good for Cloudflare to offer it as an easy to configure option within Email Security though still! :smile:

I use a Cloudflare Pages site to host my mta-sts. Just be aware that it is two DNS records and a single file.

I agree that having a one-click deployment of MTA-STS for sites using Cloudflare Email Forwarding would be nice.

No-click deployment of MTA DANE would be substantially better.

5 Likes
  1. Cloudflare knows current MX records for a domain
  2. Cloudflare has the ability to create mta-sts subdomain and TXT records automatically – just like it currently does with CAA.
  3. Cloudflare has the ability to host MTA-STS policy file – either via Workers or R2

I think all the ingredients are there.

1 Like

Would agree. It reminds me a bit on a few topics about a possible idea of having managed TLSA records with Cloudflare too …

:+1:

:+1:

1 Like

That might have been my rant from a few days ago.

It would seem to an outsider like me that TLSA on isaac,linda and amir.mx.cloudflare.net would be trivial, and have more benefit than MTA-STS. And if Cloudflare don’t do it, nobody else can either.

On the TLSA records for Universal and ACM certs, again only Cloudflare can do this, and if they did, I’m sure that user-agents would suddenly have a reason to start supporting it. I’m not sure if there is a reason the browsers do not currently support TLSA validation.

1 Like

This is very helpful. Thank you for posting.

2 Likes

Here’s a simple and easy to read version for Gmail.

3 Likes