MTA-STS with website hosted via Workers

I have a very simple, static website that I host on cloudflare via Pages. Because of the way Pages works, the DNS record for wwwcom is a CNAME for cloudflare’s site.

This redirect is not allowed per the MTA-STS RFC, and so I’m unable to use MTA-STS.

Am I overlooking some other way to make this work? I tried setting up a Worker to dynamically write the mta-sts.txt file every time it’s requested, but that’s still being flagged as a redirect.


What redirect?

1 Like

The MTA checkers I have used (multiple, different ones) all complain when retrieving the mta-sts.txt file. They say redirects are not allowed and reference the RFC for the standard.

This one sounds like you’re mixing things together?

wwwcom? That record would have absolutely nothing to do with MTA-STS.

CNAME records are perfectly fine with MTA-STS.

HTTP 3xx redirects however aren’t allowed for MTA-STS.

  1. Can you list these testers you tried?

  2. What domain?

  3. Where can we eventually see the worker code, that you initially mentioned you had set up?


OK, I was following a tutorial that said Exchange Online didn’t play nice with CNAMES and instead required A records.

Turns out that information is either outdated or entirely incorrect. CNAMES work just fine with both MTA-STS and Exchange Online.

I have it working now. Appreciate the help.

1 Like

That is true for MX records, and is not just limited to Exchange Online. CNAMEs have never been permitted in MX records.

1 Like

Understood, but that’s not what the tutorial was talking about.

" The policy file always needs to be hosted at https://mta-sts.<domain.tld>/.well-known/mta-sts.txt. Note that this is mta-sts.domain needs to be an A/AAAA record in DNS. If you use a CNAME record this will fail MTA-STS validation checks in Exchange Online."

Thanks for sharing the source article.

It is always good to trust, but verify. The appropriate RFC (8461 in this case) will always be the authoritative source.

From section 3.1. MTA-STS TXT Records:

The “_mta-sts” record MAY return a CNAME that points (directly or via other CNAMEs) to a TXT record, in which case senders MUST follow the CNAME pointers. This can be used for policy delegation, as described in Section 8.2.

I recommend against chaining CNAMEs. While technically allowable, it adds unnecessary complexity. RFC 1912 2.4 and RFC 1034 3.6.2 offer more detail on why it is a practice best avoided.

I am pleased to see that you have it working. :slightly_smiling_face:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.