MTA-STS failure

Question

MTA-STS failure

MP-9510 20

When emails are sent to my email address on my self-hosted email server, from Microsoft (Office 365 or Exchange), the MTA-STS policy of my self-hosted mailserver is not applied due to the error listed below.

I have tested my MTA-STS policy using several DMARC-providers, eg 'Mailhardener' etc., and they all find the MTA-STS policy url is reachable and the policy is valid.

This problem does not occur with incoming email from other email providers, eg Gmail.

There are no other email problems, eg. SPF, DKIM, DMARC etc.

Please help me solve this issue. I obtained the error from my DMARC-provider.

Error:

{"organization-name":"Microsoft Corporation","date-range":{"start-datetime":"2024-11-18T00:00:00Z","end-datetime":"2024-11-18T23:59:59Z"},"contact-info":"[email protected]","report-id":"133765181884122747+REDACTED","policies":[{"policy":{"policy-type":"sts","policy-domain":"REDACTED"},"summary":{"total-successful-session-count":0,"total-failure-session-count":2},"failure-details":[{"result-type":"sts-policy-fetch-error","failed-session-count":2}]}]}

Joan Hua-MSFT 5,300 Reputation points Microsoft External Staff

2024-11-25T05:58:50.4033333+00:00

Hi @ MP-9510

Welcome to our forum!

Please kindly understand that the Outlook tag here we mainly focus on general issues about Outlook desktop client. Looks like your issue is more related to Microsoft Purview. To better solve your problem, I will add Microsoft Purview tag for you.

Thanks for your support and understanding!
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-11-27T09:58:59.2533333+00:00
@MP-9510 Thanks for using Microsoft Q&A forum and posting your query.

It sounds like you’re encountering an issue where Microsoft’s servers are unable to fetch your MTA-STS policy. Here are a few steps you can take to troubleshoot and resolve this problem:

Check Policy URL and DNS Configuration:

Ensure that your MTA-STS policy is hosted at the correct URL: https://mta-sts.<your-domain>/.well-known/mta-sts.txt.

Verify that your DNS TXT record for _mta-sts.<your-domain> is correctly configured with the appropriate policy ID.

Policy Validity and Accessibility:

Double-check that your MTA-STS policy file is accessible over HTTPS and that there are no SSL/TLS certificate issues.

Use tools like curl or online validators to confirm that the policy file can be fetched without errors.

Policy Content:

Ensure that the policy file is correctly formatted and adheres to the MTA-STS specification. The policy should look something like this:
version: STSv1 mode: enforce mx: <your-mail-server> max_age: 86400

Microsoft-Specific Considerations:

According to Microsoft, their outbound MTA-STS implementation respects the recipient domain’s policy 1. If there’s an issue with the policy fetch, it could be due to a temporary network issue or a misconfiguration on the recipient’s side.

Make sure that your policy is not in “testing” mode if you want it to be enforced.

Logs and Reports:

Review your server logs for any errors related to MTA-STS policy fetch attempts.

Check the detailed reports from your DMARC provider for any additional clues.

If you’ve verified all the above and the issue persists, please do let us know
MP-9510 20 Reputation points

2024-11-27T10:14:29.04+00:00

Dear @phemanth

Thank you for your reply. I checked everything you mentioned, but did not find anything which might cause this problem.

My policy is: valid, enforcing, can be accessed, and is used by other mailservers, including Gmail and Yahoo.

Can you think of a reason why this problem only occurs with incoming mail sent from Microsoft?
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-11-28T13:04:41.5533333+00:00
@MP-9510

It’s great to hear that you’ve thoroughly checked your MTA-STS policy and confirmed its validity and accessibility. Given that other mail servers like Gmail and Yahoo are successfully using your policy, the issue with Microsoft servers might be due to a few specific factors:

Temporary Network Issues

Intermittent Connectivity: There could be temporary network issues or intermittent connectivity problems between Microsoft’s servers and your MTA-STS policy URL. These issues might not affect other providers.

Microsoft-Specific Implementation

Strict Validation: Microsoft’s implementation of MTA-STS might have stricter validation checks compared to other providers. This could include more rigorous checks on SSL/TLS certificates or DNS configurations.

Caching Issues

Policy Caching: Microsoft servers might be caching an outdated version of your MTA-STS policy. Ensure that the id in your DNS TXT record is updated whenever you make changes to the policy to force a re-fetch.

Certificate Chain Issues

Certificate Validation: Ensure that the SSL/TLS certificate used for your MTA-STS policy URL is correctly chained to a trusted root Certificate Authority. Any issues in the certificate chain might cause Microsoft’s servers to reject the policy.

Firewall or Security Settings

Blocking Traffic: Check if there are any firewall or security settings that might be blocking traffic from Microsoft’s servers to your MTA-STS policy URL.

Detailed Logs and Reports

Review Logs: Examine detailed logs and reports from your DMARC provider and your own server logs for any specific error messages or patterns that might provide more insight into the issue.

If these steps don’t resolve the issue, please do let us know
MP-9510 20 Reputation points

2024-11-28T13:27:17.3033333+00:00

Dear @phemanth I would like to contact Microsoft and send them my domain name and MTA-STS link, so they can check the factors you mentioned.

What is the best way to contact Microsoft for this purpose?
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-12-04T16:06:53.1866667+00:00

@MP-9510

If you have a support plan could you please file a support ticket ,Support team can guide you, In case if you don't have a support plan please let us know here.
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-12-05T20:00:55.2133333+00:00

@MP-9510 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Joan Hua-MSFT 5,300 Reputation points Microsoft External Staff

2024-11-25T05:58:50.4033333+00:00

Hi @ MP-9510

Welcome to our forum!

Please kindly understand that the Outlook tag here we mainly focus on general issues about Outlook desktop client. Looks like your issue is more related to Microsoft Purview. To better solve your problem, I will add Microsoft Purview tag for you.

Thanks for your support and understanding!
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-11-27T09:58:59.2533333+00:00

@MP-9510 Thanks for using Microsoft Q&A forum and posting your query.

It sounds like you’re encountering an issue where Microsoft’s servers are unable to fetch your MTA-STS policy. Here are a few steps you can take to troubleshoot and resolve this problem:

Check Policy URL and DNS Configuration:

Ensure that your MTA-STS policy is hosted at the correct URL: https://mta-sts.<your-domain>/.well-known/mta-sts.txt.

Verify that your DNS TXT record for _mta-sts.<your-domain> is correctly configured with the appropriate policy ID.

Policy Validity and Accessibility:

Double-check that your MTA-STS policy file is accessible over HTTPS and that there are no SSL/TLS certificate issues.

Use tools like curl or online validators to confirm that the policy file can be fetched without errors.

Policy Content:

Ensure that the policy file is correctly formatted and adheres to the MTA-STS specification. The policy should look something like this:
version: STSv1 mode: enforce mx: <your-mail-server> max_age: 86400

Microsoft-Specific Considerations:

According to Microsoft, their outbound MTA-STS implementation respects the recipient domain’s policy 1. If there’s an issue with the policy fetch, it could be due to a temporary network issue or a misconfiguration on the recipient’s side.

Make sure that your policy is not in “testing” mode if you want it to be enforced.

Logs and Reports:

Review your server logs for any errors related to MTA-STS policy fetch attempts.

Check the detailed reports from your DMARC provider for any additional clues.

If you’ve verified all the above and the issue persists, please do let us know
MP-9510 20 Reputation points

2024-11-27T10:14:29.04+00:00

Dear @phemanth

Thank you for your reply. I checked everything you mentioned, but did not find anything which might cause this problem.

My policy is: valid, enforcing, can be accessed, and is used by other mailservers, including Gmail and Yahoo.

Can you think of a reason why this problem only occurs with incoming mail sent from Microsoft?
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-11-28T13:04:41.5533333+00:00

@MP-9510

It’s great to hear that you’ve thoroughly checked your MTA-STS policy and confirmed its validity and accessibility. Given that other mail servers like Gmail and Yahoo are successfully using your policy, the issue with Microsoft servers might be due to a few specific factors:

Temporary Network Issues

Intermittent Connectivity: There could be temporary network issues or intermittent connectivity problems between Microsoft’s servers and your MTA-STS policy URL. These issues might not affect other providers.

Microsoft-Specific Implementation

Strict Validation: Microsoft’s implementation of MTA-STS might have stricter validation checks compared to other providers. This could include more rigorous checks on SSL/TLS certificates or DNS configurations.

Caching Issues

Policy Caching: Microsoft servers might be caching an outdated version of your MTA-STS policy. Ensure that the id in your DNS TXT record is updated whenever you make changes to the policy to force a re-fetch.

Certificate Chain Issues

Certificate Validation: Ensure that the SSL/TLS certificate used for your MTA-STS policy URL is correctly chained to a trusted root Certificate Authority. Any issues in the certificate chain might cause Microsoft’s servers to reject the policy.

Firewall or Security Settings

Blocking Traffic: Check if there are any firewall or security settings that might be blocking traffic from Microsoft’s servers to your MTA-STS policy URL.

Detailed Logs and Reports

Review Logs: Examine detailed logs and reports from your DMARC provider and your own server logs for any specific error messages or patterns that might provide more insight into the issue.

If these steps don’t resolve the issue, please do let us know
MP-9510 20 Reputation points

2024-11-28T13:27:17.3033333+00:00

Dear @phemanth I would like to contact Microsoft and send them my domain name and MTA-STS link, so they can check the factors you mentioned.

What is the best way to contact Microsoft for this purpose?
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-12-04T16:06:53.1866667+00:00

@MP-9510

If you have a support plan could you please file a support ticket ,Support team can guide you, In case if you don't have a support plan please let us know here.
phemanth 15,765 Reputation points Microsoft External Staff Moderator

2024-12-05T20:00:55.2133333+00:00

@MP-9510 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

MP-9510 I had issues receiving emails from exchange servers specifically like you were. It was due to the MX record in DNS pointing to a CNAME record. It seems Microsoft may have implemented a stricter reading of an RFC and the MX record needs to point to A / AAAA records. That was the missing piece for me.

i.e. If your MX record returns mail.<your-domain>
and mail.<your-domain> is a CNAME record for <your-domain> or any other address
then mta-sts validation will fail.

Resolving mail.<your-domain> MUST return an A and/or AAAA record.

Sources:
Introducing MTA-STS for Exchange Online
Clarifications on MTA-STS Policy with CNAME Records

Share via

MTA-STS failure

Error:

1 answer

Your answer