Original Date: January 27, 2021
Updated: February 23, 2021

IANIX is happy to announce the adoption of MTA-STS. Here is the current policy. (Note that RFC 8461 requires Windows-style CRLF newlines. If you look at the file, you'll see them. Don't worry, I don't use Windows!)

Inbound MTA-STS support

MTA-STS was very easy to deploy for inbound support, requiring only the following:

This was very easy to manage, especially compared to DANE, which requires DNSSEC. DNSSEC is a dumpster fire, so don't even joke about deploying it.

Outbound MTA-STS support

Supporting MTA-STS for outbound mail requires considerably more work. Your mail server will periodically need to make an https connection to mta-sts.example.com and make at least one DNS TXT query, parsing the results. To send reports you'll need to make a second query, parse the results, and keep a database of daily SMTP session successes and failures, sending that information to remote hosts as compressed json.

IANIX intends to deploy outbound MTA-STS support in the future.