0

I set up an MTA-STS policy and a TLS-RPT entry, and the configuration is processed successfully by Google:

{
  "organization-name": "Google Inc.",
  "date-range": {
    "start-datetime": "2024-11-08T00:00:00Z",
    "end-datetime": "2024-11-08T23:59:59Z"
  },
  "contact-info": "smtp-tls-reporting@google.com",
  "report-id": "2024-11-08T00:00:00Z_eden.one",
  "policies": [
    {
      "policy": {
        "policy-type": "sts",
        "policy-string": [
          "version: STSv1",
          "mode: testing",
          "mx: mail.eden.one",
          "max_age: 86400"
        ],
        "policy-domain": "eden.one",
        "mx-host": [
          "mail.eden.one"
        ]
      },
      "summary": {
        "total-successful-session-count": 1,
        "total-failure-session-count": 0
      }
    }
  ]
}

Microsoft, however, reports a sts-policy-fetch-error:

{
  "organization-name": "Microsoft Corporation",
  "date-range": {
    "start-datetime": "2024-11-07T00:00:00Z",
    "end-datetime": "2024-11-07T23:59:59Z"
  },
  "contact-info": "tlsrpt-noreply@microsoft.com",
  "report-id": "133755676493963779+eden.one",
  "policies": [
    {
      "policy": {
        "policy-type": "sts",
        "policy-domain": "eden.one"
      },
      "summary": {
        "total-successful-session-count": 0,
        "total-failure-session-count": 2
      },
      "failure-details": [
        {
          "result-type": "sts-policy-fetch-error",
          "failed-session-count": 2
        }
      ]
    }
  ]
}

The mta_sts.txt is served correctly at https://mta-sts.eden.one/.well-known/mta-sts.txt (as confirmed by Google's report) – what could cause the issue with Microsoft?

Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151
janeden
  • 291
  • 2
  • 13

1 Answers1

1

These error messages are defined in RFC 8460, 4.3.2.2:

MTA-STS-specific Policy Failures

  • sts-policy-fetch-error: This indicates a failure to retrieve an TA-STS policy, for example, because the policy host is unreachable.
  • sts-policy-invalid: This indicates a validation error for the overall MTA-STS Policy.
  • sts-webpki-invalid: This indicates that the MTA-STS Policy could not be authenticated using PKIX validation.

If you had just set up this policy, it might have been a DNS problem, e.g., Microsoft could have a negative cache for the NXDOMAIN response. The negative cache typically lasts for the MINIMUM (RFC 1035, 3.3.13) or TTL (time-to-live) field in the SOA record for the parent domain. Here, the TTL is set for 300 seconds and the temporary problem should already have been solved.

If the issue persist, you could check your web server logs for https://mta-sts.eden.one/ whether Microsoft's requests have been blocked by some configuration.

As a side note, the TTLs for both _mta-sts.eden.one & mta-sts.eden.one are set to rather low, 60 seconds. As the caches are cleared after a minute, any availability problem with DNS will cause failures for your MTA-STS policy:

  • Short TTL for _mta-sts.eden.one. TXT may drop the entire MTA-STS policy altogether.
  • Short TTL for mta-sts.eden.one. A may cause fetching failures (the sts-policy-fetch-error).
Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151