DNS Record Explainer

v=STSv1 — protocol version. STSv1 is the current standard for MTA-STS (Mail Transfer Agent Strict Transport Security). Tells receiving mailservers which MTA-STS spec to use when parsing this policy.

id=20260417T000000 — policy identifier, typically a timestamp in YYYYMMDDTHHmmss format. Used to signal policy updates. When you change your MTA-STS rules, increment this ID so servers know to fetch the new policy instead of using cached versions. The format here (20260417T000000) is four years in the future, which is unusual but valid.

• Record is incomplete for production. MTA-STS policies require a `mode` field (enforce, testing, or none) and should include `mx` entries listing authorized MX hostnames. This snippet defines only version and ID.

• `id` timestamp is dated 2026 — likely a typo. Should reflect when the policy was created or last updated. Old ID values don't break anything, but future dates can confuse policy refresh logic on some servers. Use current date.

• No `max_age` field. Best practice is to include it (e.g., `max_age=604800` for one week) to control cache duration. Without it, defaults vary by implementation.

• Missing `mx` directive. Without it, this policy doesn't actually restrict which MX servers are allowed. Example: `mx=mail.example.com` or `mx=*.example.com`.

MTA-STS is served from `.well-known/mta-sts.txt` on your mail domain, not as a DNS record itself. This text snippet is the policy file content. It's paired with an MTA-STS TXT DNS record (same domain) that points to this policy and includes its ID so other mailservers know when to re-fetch it.

Servers use this to enforce TLS encryption and verify certificate hostnames when delivering mail to your domain. Without `mode: enforce`, it's advisory only (testing mode).

→ /blog/mta-sts-explained