MTA-STS MX Records do not match ones reported in STS Policy


I’m trying to add MTA-STS security to my domain and I’m using a Cloudflare worker. When I check the MTA-STS configuration Diagnostics via Google Admin I’m shown the following configuration error.

When I use to look up MTA-STS for my domain I show that under the MTA-STS MX Host Validation test there is “No MTA-STS Policy MX Pattern Match”. However, all other MTA-STS tests seem to be successfully configured.

Is it possible to use the Cloudflare worker and modify the policy to meet the suggested policy configuration from my Google Admin account or will I need to manually create a MTA-STS subdomain with the suggested configuration?

Any help is appreciated.

Your policy is clearly incorrect, as it doesn’t match your MX records:

It seems you deployed one of the default Workers templates as-is to serve your policy file. But that template’s code is specifically for the case where Cloudflare handles your incoming mails (Cloudflare Email Routing).

You need to adapt this Workers template code for your email service provider, Google Workspace. Just Google “hosting mta-sts policy file on Cloudflare Workers” and you’ll get a lot of working examples.

Here’s one: Hosting MTA-STS .txt file on CloudFlare Workers | Mike Hosker

Of course, you could host the policy file yourself by pointing the subdomain to your own server and placing the mta-sts.txt file there (must be HTTPS and minimum TLS1.2).


As you suggested, I was able to search and find a helpful YouTube video explaining how to edit the Cloudflare worker code to meet Google’s suggested configuration.

Here is the link to the video for anyone experiencing a similar problem.

Thanks for your response George!

1 Like

It worked!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.