A Serverless Approach to MTA-STS Policy File Hosting
MTA-STS (Mail Transfer Agent Strict Transport Security) is an inbound email protocol designed to add a layer of encryption and security between sending and receiving mail servers.
A critical component of implementing MTA-STS is hosting a plain text Policy file over HTTPS. We have seen an uptick in questions relating to the best approach to achieve this.
While simple in theory, most organizations don’t want the burden of maintaining an entire website just to serve this one file. Nor do they wish to delegate DNS management or hosted solutions to a DMARC vendor, effectively making their encrypted mail flow dependent on that vendor’s infrastructure.
The answer to this problem is likely already in your tech stack. Many Cloud and DNS providers offer serverless functions that allow you to host the MTA-STS policy file over HTTPS, eliminating the need to patch or maintain a full web server.
This method is not only low-maintenance but, in many cases, incurs little to no additional cost.
What does “serverless” actually mean?
First, it is important to clarify that there is still a physical server in a data center. The difference between running your own server in the cloud and “serverless” is that the only thing you are responsible for is your code.
The cloud provider is responsible for the hardware, operating system, runtime environment, software updates, its redundancy and availability.
You pay for this service based on the number of requests and compute time used. Fortunately, most providers have incredibly generous free tiers (often millions of requests per month) that easily cover an MTA-STS policy.
Your function sits idle, online and waiting. When a request comes in, it wakes up, processes the request, and instantly delivers your MTA-STS Policy file.
In a serverless environment, you are responsible for your code (i.e., your MTA-STS logic). Cloud providers are responsible for the following:
- Hardware
- Operating system
- Availability and redundancy
- Software updates
- Runtime environment (e.g., python, go, Javascript)
Where to get started?
Our DMARC Management Platform comes with TLS Reporting across all plans, as well as tools to check if your MTA-STS policy file and relevant DNS records are set up correctly.
Below you will find a series of guides covering popular cloud and DNS providers.
dmarcian can help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage email security for the long haul. You can register for a free trial, where our onboarding and support team will help you along the way.
Want to continue the conversation? Head over to the dmarcian Forum.
