Mike Hosker
All posts
Automation Linux Security

Hosting MTA-STS .txt File on CloudFlare Workers

· Mike Hosker

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard that prevents attackers from redirecting mail delivery or downgrading TLS encryption. It requires a .txt policy file hosted at a specific URL on your domain:

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Normally this means a web server — but CloudFlare Workers let you serve the file from the edge with no infrastructure to maintain.

What is a CloudFlare Worker?

CloudFlare Workers is a serverless platform that runs JavaScript at CloudFlare's global edge network, close to users. You write a small script, configure which URLs trigger it, and CloudFlare handles everything else.

The Worker Script

const MTA_STS_CONTENT = `version: STSv1
mode: enforce
mx: mail.google.com
max_age: 86400
`

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  return new Response(MTA_STS_CONTENT, {
    headers: {
      'content-type': 'text/plain',
    },
  })
}

Adjust mx: to match your mail server(s), and set mode to testing first if you want to validate before enforcing.

Route Configuration

In the Worker's Triggers tab, add a route for:

mta-sts.yourdomain.com/.well-known/mta-sts.txt

If you want one Worker to serve multiple domains (e.g., multiple Google Workspace domains using the same mail servers), add a route for each.

CloudFlare Workers route configuration for MTA-STS

DNS Setup

In CloudFlare DNS, create a CNAME or A record for mta-sts.yourdomain.com pointing to 100:: (IPv6) or any placeholder — the Worker intercepts requests before they reach any origin. Make sure the record is proxied (orange cloud enabled) so CloudFlare intercepts it.

DNS TXT Record

MTA-STS also requires a _mta-sts TXT record to signal that a policy exists:

_mta-sts.yourdomain.com  TXT  "v=STSv1; id=20211202"

Update the id value whenever you change your policy to signal to sending MTAs that they should re-fetch it.

Benefits

  • No server to maintain or patch
  • Files served from CloudFlare's global edge — fast everywhere
  • Easy to update via the CloudFlare dashboard
  • One Worker can cover multiple domains