MTA-STS and TLS-RPT implementation with Netlify

I just want to tell you how easy it is to implement MTA-STS and TLS-RPT with Netlify.

Just follow the eminent tutorial written by Jamie Scaife, and adjust it to your specific needs.

I created a new site (mta-sts-mydomain.netlify.com) on Netlify that redirects to the MTA-STS specific subdomain (mta-sts.mydomain.com).

I created a repository (on GitLab) with the following file structure:

/.well-known/mta-sts.txt
404.html (just in case)
index.html (that informs about the path to the configuration file)
netlify.toml (see below)

I use ProtonMail as mail server and ended up with a MTA-STS configuration file (mta-sts.txt) that looks like this:

version: STSv1
mode: enforce
mx: mail.protonmail.ch
mx: mailsec.protonmail.ch
max_age: 604800

I created a netlify.toml file to handle security headers and redirects. It looks like this:

[[headers]]
for = “/*”
[headers.values]
Content-Security-Policy = “base-uri ‘none’; default-src ‘none’; form-action ‘none’; frame-ancestors ‘none’”
Expect-CT = “max-age=86400, enforce”
Feature-Policy = “geolocation ‘none’”
Referrer-Policy = “no-referrer”
Strict-Transport-Security = “max-age=63072000; includeSubDomains; preload”
X-Content-Type-Options = “nosniff”
X-Frame-Options = “deny”
X-XSS-Protection = “1; mode=block”
[[redirects]]
from = “https://mta-sts-mydomain.netlify.com/*
to = “https://mta-sts.mydomain.com/:splat
status = 301
force = true

Remember to add the CNAME record (mta-sts) and the two TXT records (_mta-sts.yourdomain.com) and (_smtp._tls.yourdomain.com) in the DNS settings, also that max_age must be greater than 86400 in order to take effect.

You can test your implementation here.

1 Like

thanks for writing this up and sharing it, @tmoberg! super appreciate it!

Thanks! Just two things:

Something happened with the formatting of the code block. It should be: for = "/*"
Another useful tool: https://starttls-everywhere.org/

@tmoberg, I edited the for = line above to match your most recent post. Does that section look correct now?

@luke, it does. Thanks!