PowerShell-Mail Transfer Agent-Strict Transport Security | Enhancing mail flow by deploying and testing MTA-STS for Exchange Online using this PowerShell module.
This module is for you, if you ...
- ... want to improve the security of your mail flow
- ... use Exchange Online for mail flow
- ... have lots of domains and want to deploy MTA-STS for all of them
- ... have an Azure subscription and want to deploy MTA-STS using Azure Static Web Apps or Azure Functions
- ... want to test your MTA-STS configuration using PowerShell
MTA-STS is a new internet standard that improves email security and delivery for your organization. MTA-STS leverages the well-known security standard HTTPS, which is used to secure connections to websites, to enable organizations to assert policies and requirements for their email services. MTA-STS also enables organizations to request that remote email servers deliver email messages over a secure connection and to report back on any failures encountered. This helps to ensure that email messages are delivered in a secure and reliable manner.
Defined in rfc8461
MTA-STS consists of two Parts:
- MTA-STS TXT DNS Record
- MTA-STS Policy
This DNS Record indicates that the Domain supports MTA-STS. The id can be literally anything it's usualy just a datetime value of the last change.
_mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;"
The MTA-STS Policy is located at the "./well-known/" directory and contains a Text file with the Policy https://mta-sts.example.com/.well-known/mta-sts.txt
For Exchange Online the mta-sts.txt looks like this
version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800
Defined in rfc8460
This DNS Record allows the Sender MTA to send Reports (similar to DMARC) to a defined Emailadress or a HTML Site for reporting purposes. While Microsoft does not offer a Service to aggregate these Reports, there are plenty of TLSRPT Data providers that can do this Job.
_smtp._tls.example.com. IN TXT "v=TLSRPTv1;rua=mailto:[email protected]"
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=https://reporting.example.com/v1/tlsrpt"
This module supports you at deploying and testing MTA-STS for Exchange Online. It will help you to create the required DNS records and to configure the MTA-STS policy for your domain. It will also help you to test the MTA-STS policy and to troubleshoot any issues you might encounter.
You can install this module from the PowerShell Gallery.
#Install Module using PowerShellGet
Install-Module -Name PS.MTA-STS
#Install Module using Microsoft.PowerShell.PSResourceGet
Install-PSResource -Name PS.MTA-STS
You have two options to deploy MTA-STS for your domain(s) using Azure:
- Deploy MTA-STS using Azure Static Web Apps
- Deploy MTA-STS using Azure Functions
One major difference is, that Azure Static Web Apps allow you to add 5 custom domains per app, while Azure Functions allow you to add 500 custom domains per app. So if you want to deploy MTA-STS for more than 5 domains, you must deploy a Azure Function App or alternatively multiple Azure Static Web Apps.
If you want to deploy a Azure Static Web App to host your MTA-STS policy, check out the original deployment guide.
If you want to deploy a Azure Function App to host your MTA-STS policy using this repository, check out the PS.MTA-STS deployment guide.
No matter which option you choose, you will end up with a Azure resource that hosts your MTA-STS policy. In both cases, you will be able to use
- 'Export-PSMTASTSDomainsFromExo' function to get a csv file containing your accepted domains with MX record validation
- 'Test-MTASTSConfiguration' function to test your MTA-STS configuration for all provided domains
For more information about the functions, import the module and use 'Get-Help' to get the help for the functions.
Import-Module -Name PS.MTA-STS
Get-Help -Name Export-PSMTASTSDomainsFromExo -Full
Get-Help -Name Test-MTASTSConfiguration -Full