MTA-STS fails with proxied MTA-STS A record

So, as the title suggests, when the MTA-STS A record is proxied, it fails to fetch the policy.

As soon as I unproxy the A record for MTA-STS, policy is fetched without issue.

Is this normal? Do I have to leave the MTA-STS record unproxied?


From my experience, yes.

It may depend on where it is hosted.

I have some MTA-STS hosted in workers, which are proxied (wouldn’t work otherwise) and some hosted on other services that are non-proxied because the service needs to verify the record exists—which it cannot do when proxied.

1 Like

Ok thanks, ill just leave it unproxied for now.

I need to look into and understand this workers thing.

Also, does CF DMARC reporting support MTA-STS reports?

Not that I’m aware of.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.