{"id":10609171,"url":"https://github.com/jpawlowski/mta-sts.template","last_synced_at":"2026-02-16T06:02:30.051Z","repository":{"id":147003612,"uuid":"435181729","full_name":"jpawlowski/mta-sts.template","owner":"jpawlowski","description":"📩 Template to host an MTA Strict Transport Security (MTA-STS) policy on GitHub Pages.","archived":false,"fork":false,"pushed_at":"2024-03-02T09:30:14.000Z","size":37,"stargazers_count":70,"open_issues_count":0,"forks_count":9,"subscribers_count":8,"default_branch":"gh-pages","last_synced_at":"2025-04-02T17:53:46.533Z","etag":null,"topics":["dmarc","github-pages-template","mta-sts","rfc-8460","rfc-8461","smtp-tls","starttls","tlsrpt"],"latest_commit_sha":null,"homepage":"https://jpawlowski.github.io/mta-sts.template/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jpawlowski.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-12-05T13:57:52.000Z","updated_at":"2025-03-14T03:11:53.000Z","dependencies_parsed_at":"2024-01-14T15:02:14.168Z","dependency_job_id":"20cffba4-369b-47b1-b083-d574676df8d2","html_url":"https://github.com/jpawlowski/mta-sts.template","commit_stats":null,"previous_names":[],"tags_count":0,"template":true,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpawlowski%2Fmta-sts.template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpawlowski%2Fmta-sts.template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpawlowski%2Fmta-sts.template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jpawlowski%2Fmta-sts.template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jpawlowski","download_url":"https://codeload.github.com/jpawlowski/mta-sts.template/tar.gz/refs/heads/gh-pages","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247289399,"owners_count":20914464,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dmarc","github-pages-template","mta-sts","rfc-8460","rfc-8461","smtp-tls","starttls","tlsrpt"],"created_at":"2024-06-02T09:10:45.202Z","updated_at":"2025-10-06T22:20:44.965Z","avatar_url":"https://github.com/jpawlowski.png","language":"HTML","funding_links":[],"categories":["HTML"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr\u003e\n  📩 A Template to host an MTA-STS Policy file on GitHub\n  \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eUse this template to host your \u003ci\u003eMTA Strict Transport Security (MTA-STS)\u003c/i\u003e \u003ca href=\"https://datatracker.ietf.org/doc/html/rfc8461\"\u003e[RFC 8461]\u003c/a\u003e policy file on GitHub Pages.\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#how-to-use\"\u003eHow To Use\u003c/a\u003e •\n  \u003ca href=\"#license\"\u003eLicense\u003c/a\u003e •\n  \u003ca href=\"#author\"\u003eAuthor\u003c/a\u003e\n\u003c/p\u003e\n\nMTA-STS is a security standard to secure e-mail delivery. E-mail servers that send inbound e-mail to your domain will be able to detect that your e-mail server supports SMTP-over-TLS via `STARTTLS` (also known as [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS)) before opening the actual connection.\n\nIn case the sending e-mail server is not able to initiate a secure connection, it will end the connection to enforce transport layer encryption. This mitigates [Man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) DNS and SMTP [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) that would allow an attacker to read or manipulate e-mail in transit.\n\n## How To Use\n\n1. Make sure you are [signed in to GitHub](https://github.com/login). Then click on [**Use this template**](https://github.com/jpawlowski/mta-sts.template/generate) to create a copy to your own GitHub profile (see [GitHub Docs](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template)). Don't _clone_ the repository.\n   You may name your repository whatever you like. For simplicity, you can name it `mta-sts.\u003cyour_domain.tld\u003e`.\n\n2. Change the file `.well-known/mta-sts.txt` according to your needs.\n\n3. Create a `CNAME` record for `mta-sts.\u003cyour_domain.tld\u003e` in your domain's DNS that points to `\u003cyour_username\u003e.github.io` or `\u003cyour_organization\u003e.github.io` and [enable GitHub Pages](https://docs.github.com/articles/using-a-custom-domain-with-github-pages/).\n\n4. Open a browser to `https://mta-sts.\u003cyour_domain.tld\u003e` and make sure it does not show any certificate warnings.\n\n5. Create a `TXT` record for `_mta-sts.\u003cyour_domain.tld\u003e` in your domain's DNS to enable the MTA-STS policy for your domain.\n\n   You may copy \u0026 paste this to your DNS provider:\n\n   ```dns\n   #HOST       #TTL    #TYPE    #VALUE\n   _mta-sts    3600    TXT      \"v=STSv1; id=20220317000000Z\"\n   ```\n\n   **Note that you will need to change the `id=` here whenever you make changes to your `mta-sts.txt` policy file.**\n\n6. Validate your setup, for example by using the [MTA-STS Lookup by MXToolBox](https://mxtoolbox.com/mta-sts.aspx), or looking into your [Hardenize Public Report](https://www.hardenize.com/).\n\n_Optional (but **highly recommended**):_\n\n7. Create another `TXT` record for `_smtp._tls.\u003cyour_domain.tld\u003e` in your domain's DNS to enable reporting (see [RFC 8460](https://datatracker.ietf.org/doc/html/rfc8460)).\n   You may copy \u0026 paste this to your DNS provider:\n\n   ```dns\n   #HOST         #TTL    #TYPE    #VALUE\n   _smtp._tls    3600    TXT      \"v=TLSRPTv1; rua=mailto:tls-rua@mailcheck.\u003cyour_domain.tld\u003e\"\n   ```\n\n   Note that the e-mail recipient mailbox shall be on a different domain _without_ MTA-STS being configured. This could be a subdomain like `mailcheck.\u003cyour_domain.tld\u003e`.\n   It is also quite painful to manually deal with the reports other e-mail providers will send to you. For that particular reason, you may want to consider sending these e-mails to a 3rd-party tool like [Report URI](https://report-uri.com/), [URIports](https://www.uriports.com/), or from other commercial providers.\n\n   You probably want this to be the same tool you might use for DMARC reports, like [DMARC Analyzer](https://www.dmarcanalyzer.com/) or [Dmarcian](https://dmarcian.com/).\n\n## License\n\n[MIT License](https://github.com/jpawlowski/mta-sts.template/blob/gh-pages/LICENSE)\n\n## Author\n\n[julian.pawlowski.me](https://julian.pawlowski.me/) \u0026nbsp;\u0026middot;\u0026nbsp;\nGitHub [@jpawlowski](https://github.com/jpawlowski/mta-sts.template) \u0026nbsp;\u0026middot;\u0026nbsp;\nMastodon [@Loredo@chaos.social](https://chaos.social/@Loredo)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpawlowski%2Fmta-sts.template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjpawlowski%2Fmta-sts.template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpawlowski%2Fmta-sts.template/lists"}