MTA-STS and TLS-RPT implementation with Netlify

I just want to tell you how easy it is to implement MTA-STS and TLS-RPT with Netlify.

Just follow the eminent tutorial written by Jamie Scaife, and adjust it to your specific needs.

I created a new site ( on Netlify that redirects to the MTA-STS specific subdomain (

I created a repository (on GitLab) with the following file structure:

404.html (just in case)
index.html (that informs about the path to the configuration file)
netlify.toml (see below)

I use ProtonMail as mail server and ended up with a MTA-STS configuration file (mta-sts.txt) that looks like this:

version: STSv1
mode: enforce
max_age: 604800

I created a netlify.toml file to handle security headers and redirects. It looks like this:

for = “/*”
Content-Security-Policy = “base-uri ‘none’; default-src ‘none’; form-action ‘none’; frame-ancestors ‘none’”
Expect-CT = “max-age=86400, enforce”
Feature-Policy = “geolocation ‘none’”
Referrer-Policy = “no-referrer”
Strict-Transport-Security = “max-age=63072000; includeSubDomains; preload”
X-Content-Type-Options = “nosniff”
X-Frame-Options = “deny”
X-XSS-Protection = “1; mode=block”
from = “*
to = “
status = 301
force = true

Remember to add the CNAME record (mta-sts) and the two TXT records ( and ( in the DNS settings, also that max_age must be greater than 86400 in order to take effect.

You can test your implementation here.

1 Like

thanks for writing this up and sharing it, @tmoberg! super appreciate it!

Thanks! Just two things:

Something happened with the formatting of the code block. It should be: for = "/*"
Another useful tool:

@tmoberg, I edited the for = line above to match your most recent post. Does that section look correct now?

@luke, it does. Thanks!