Clarifications on MTA-STS Policy with CNAME Records

Copper Contributor

TechCommunity and @The_Exchange_Team,

 

In the article "Introducing MTA-STS for Exchange Online," there's a statement:

 

@The_Exchange_Team wrote:

We do not support CNAMEs when MTA-STS is used. If a domain uses a CNAME and follows the MTA-STS RFC, that domain will fail our MTA-STS checks, and will not receive emails from us.

 

I have several technical questions regarding this:

  1. CNAME Reference: Is the "domain uses a CNAME" part specifically referring to MX servers using CNAME records, or the mta-sts and _mta-sts DNS records?
  2. CNAME Usage: Many MTA-ST hosting services utilize CNAME records for MTA-STS configurations. Additionally, it appears Microsoft uses CNAMEs for serving its MTA-STS policies. What's the rationale?
  3. Record Type Implications: Is there a functional difference, from a Microsoft implementation standpoint, if an mta-sts record is served via an A/AAAA record vs. a CNAME record?

 

Looking for technical clarifications on these points.

2 Replies

Hi @databender,

I will try to be technical, but also a bit casual for the better understanding:

1. CNAME Reference:
- When they mention "a domain using a CNAME," they mean it's not just about email servers. It's mostly about using CNAME records for a specific kind of email security thing called MTA-STS. Think of CNAMEs like shortcuts.

2. CNAME Usage

- They say, "Hey, don't use CNAMEs for MTA-STS," because they want email to be super safe. MTA-STS is like a bodyguard for emails, making sure they're secure. But when we use CNAMEs, it can make the bodyguard's job harder.

- Microsoft wants email deliveries to be as safe as possible. So, they say, "Let's not use CNAMEs for MTA-STS." Safety is their top priority!

3. Record Type Implications:
- Now, when it comes to using A/AAAA records (these are like direct addresses) instead of CNAME records (which are like detours) for MTA-STS, here's the deal: A/AAAA records give us more control. It's like knowing exactly where you're going.

- But with CNAMEs, it's like taking a longer route, and sometimes, that can lead to security issues. Bad guys might try to mess with the directions, and that's a no-no.

- So, Microsoft says, "Let's stick to A/AAAA records for MTA-STS to keep email super secure."

MTA-STS (Strict Transport Security) (msxfaq.de)

MTA-STS (Strict Transport Security) - Frankys Web

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic

The way I read it is that they don't support having a CNAME record for an MX record when using MTA-STS