I have a new domain ausset.au.
I've set up all recommended email security features, like SPF, DKIM, DMARC, and MTA-STS.
When I check the setup with MxToolbox everything seems to be fine, including MTA-STS.
But when I use the Check MX email setup checker from the Google Admin Toolbox I always get the following error message:
If your domain wants to use MTA-STS (optional), the MTA-STS TXT record must comply with RFC8461.
MTA STS is malformed.
Here are all relevant DNS records:
A Records
| Type | Name | IPv4 address | TTL |
|---|---|---|---|
| A | mta-sts.ausset.au. | 104.21.85.225 | 300 |
| A | mta-sts.ausset.au. | 172.67.211.221 | 300 |
MX Records
| Type | Name | Prio | Mail Server | TTL |
|---|---|---|---|---|
| MX | ausset.au. | 1 | aspmx.l.google.com. | 3600 |
| MX | ausset.au. | 5 | alt1.aspmx.l.google.com. | 3600 |
| MX | ausset.au. | 5 | alt2.aspmx.l.google.com. | 3600 |
| MX | ausset.au. | 10 | alt3.aspmx.l.google.com. | 3600 |
| MX | ausset.au. | 10 | alt4.aspmx.l.google.com. | 3600 |
TXT Records
| Type | Name | Content | TTL |
|---|---|---|---|
| TXT | ausset.au. | "v=spf1 include:_spf.google.com -all" | 3600 |
| TXT | ausset.au. | "google-site-verification=xqVfNs...a4oIFds" [shortened for readability] | 3600 |
| TXT | _dmarc.ausset.au. | "v=DMARC1; p=reject; rua=mailto:[email protected]" | 1 |
| TXT | google._domainkey.ausset.au. | "v=DKIM1; k=rsa; p=MIIBIj...IDAQAB" [shortened for readability] | 1 |
| TXT | _mta-sts.ausset.au. | "v=STSv1; id=20230805184000" | 1 |
| TXT | _smtp._tls.ausset.au. | "v=TLSRPTv1; rua=mailto:[email protected],https://mta-sts.ausset.au/.well-known/mta-sts.txt" | 1 |
And that's the content of my MTA-STS policy file hosted under https://mta-sts.ausset.au/.well-known/mta-sts.txt:
version: STSv1
mode: testing
mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
max_age: 604800
What am I doing wrong?
Edit:
Now after adding another A record for the website, the Google Admin Toolbox Check MX fails completely, with Check was not possible.
But I have to say, I'm using Cloudflare and have a Cloudflare worker to host the MTA-STS policy and the website.
To be able to route traffic to a Cloudflare worker, you need to have a bogus A record with the target in the 192.0.2.0/24 range, e.g. 192.0.2.1.
So, my two real A records in the Cloudflare backend are:
| Type | Name | IPv4 address | TTL |
|---|---|---|---|
| A | ausset.au. | 192.0.2.1 | 1 |
| A | mta-sts.ausset.au. | 192.0.2.1 | 1 |
However, I tested it without Cloudflare worker and hosted the MTA-STS policy on a web server with a real IP address, but got the exact same error message as mentioned above (MTA STS is malformed). So, I'm confident that it's not the Cloudflare worker setup.
I was able to get this figured out in my case. Google wanted a tls reporting record. Once I got that added the error went away.
Example: _smtp._tls.yourdomain.com. 14400 TXT
v=TLSRPTv1;rua=mailto:[email protected];