I just want to tell you how easy it is to implement MTA-STS and TLS-RPT with Netlify.
Just follow the eminent tutorial written by Jamie Scaife, and adjust it to your specific needs.
I created a new site (mta-sts-mydomain.netlify.com) on Netlify that redirects to the MTA-STS specific subdomain (mta-sts.mydomain.com).
I created a repository (on GitLab) with the following file structure:
/.well-known/mta-sts.txt
404.html (just in case)
index.html (that informs about the path to the configuration file)
netlify.toml (see below)
I use ProtonMail as mail server and ended up with a MTA-STS configuration file (mta-sts.txt) that looks like this:
version: STSv1
mode: enforce
mx: mail.protonmail.ch
mx: mailsec.protonmail.ch
max_age: 604800
I created a netlify.toml file to handle security headers and redirects. It looks like this:
[[headers]]
for = “/*”
[headers.values]
Content-Security-Policy = “base-uri ‘none’; default-src ‘none’; form-action ‘none’; frame-ancestors ‘none’”
Expect-CT = “max-age=86400, enforce”
Feature-Policy = “geolocation ‘none’”
Referrer-Policy = “no-referrer”
Strict-Transport-Security = “max-age=63072000; includeSubDomains; preload”
X-Content-Type-Options = “nosniff”
X-Frame-Options = “deny”
X-XSS-Protection = “1; mode=block”
[[redirects]]
from = “https://mta-sts-mydomain.netlify.com/*”
to = “https://mta-sts.mydomain.com/:splat”
status = 301
force = true
Remember to add the CNAME record (mta-sts) and the two TXT records (_mta-sts.yourdomain.com) and (_smtp._tls.yourdomain.com) in the DNS settings, also that max_age must be greater than 86400 in order to take effect.
You can test your implementation here.