IANIX adopts MTA-STS
Original Date: January 27, 2021
Updated: February 23, 2021
IANIX is happy to announce the adoption of MTA-STS. Here is the current policy. (Note that RFC 8461 requires Windows-style CRLF newlines. If you look at the file, you'll see them. Don't worry, I don't use Windows!)
Inbound MTA-STS support
MTA-STS was very easy to deploy for inbound support, requiring only the following:
- the policy file linked above
- two simple DNS TXT records
This was very easy to manage, especially compared to DANE, which requires DNSSEC. DNSSEC is a dumpster fire, so don't even joke about deploying it.
Outbound MTA-STS support
Supporting MTA-STS for outbound mail requires considerably more work. Your mail server will periodically need to make an https connection to mta-sts.example.com and make at least one DNS TXT query, parsing the results. To send reports you'll need to make a second query, parse the results, and keep a database of daily SMTP session successes and failures, sending that information to remote hosts as compressed json.
IANIX intends to deploy outbound MTA-STS support in the future.