Publish a DNS TXT record at _mta-sts.yourdomain.com with the content v=STSv1; id=YYYYMMDDTHHMMSS (use a timestamp string as the id); a TTL of 3600 is recommended.
Create an MTA-STS policy file in plaintext and serve it over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt; the policy file must be accessible without redirects.
Set the policy file content: version: STSv1 on the first line, mode: on the second (testing for observation, enforce to require TLS), max_age: set in seconds (for example 86400 for one day during testing or 604800 for production), and one or more mx: lines listing your accepted MX hostnames.
Start with mode: testing so sending servers log TLS failures without rejecting mail, then switch to mode: enforce once you confirm all inbound paths successfully negotiate TLS.
Update the id= value in the DNS TXT record every time you change the policy file; sending servers cache the policy for max_age seconds and re-fetch only when they see a new id value.
Pair MTA-STS with a TLS-RPT record (see separate route) to receive reports about TLS negotiation failures from sending servers.
Known gotchas
The HTTPS certificate for mta-sts.yourdomain.com must be valid and trusted by sending servers; a self-signed or expired certificate will cause them to reject the policy fetch and fall back to opportunistic TLS.
MX hostnames listed in mx: must match the certificates presented by your mail servers exactly (including wildcard matching rules); a mismatch at enforce mode causes sending servers to reject delivery.
Changing max_age to a very high value locks cached policies in sending servers for that duration; if you later need to change MX hosts, the old max_age value determines how long some senders keep using the old policy.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp