Digging into STSFetchResult.FETCH_ERROR

Was looking into the ‘MTA-STS policy is missing: STSFetchResult.FETCH_ERROR’ issue and found this using https://esmtp.email/tools/mta-sts/ . I searched the forum for this issue and it has already been over 48 hours. Any ideas?

Invalid TLSRPT TXT record
DNS TLSRPT policy record must pass basic validation
TLSRPT is commonly implemented by organizations where TLS is employed to secure communications. It is defined in RFC-8460 and allows users to specify a mechanism where TLS failures can be reported automatically by affected sites.

The DNS TXT record _smtp._tls on the tested domain was resolved via a public DNS resolver. This check looks for a well-formed TXT record indicating presence of a well formed TLSRPT reporting policy suitable for MTA-STS. The record's contents are parsed and the result validated according to the rules from RFC-8460.

DNSSEC is used for the lookup. If a result is returned with no DNSSEC validation, a warning is provided. Note that as per RFC-8460, DNSSEC is not a strict requirement.

Since TLSRPT is not strictly mandatory in conjunction with MTA-STS, failures of this check are reported merely as warnings.


TLSRPT TXT DNS response contains zero answers

Usually this happens when there is no cert for mta-sts.example.com.

mta-sts.zcloudservices.com Signed & valid. The certificate expires in 88 days on 2022-01-11.

This is what I see:

$ dig +short txt _mta-sts.zcloudservices.com
"v=STSv1; id=2AlfcYHIG7sYAGbC3gcB"

You can look at the ‘External DNS’ page in the dashboard to see if that matches what MiaB thinks it is publishing.

1 Like

You’re looking at two different things.

As @openletter notes, the Fetch error is most commonly an issue with the certificate on the mta-sts subdomain.

Unrelated to that, the error you’re seeing from esmtp.email on the TLSRPT TXT record points more to an error when doing the lookup via DNSSEC, which it appears you have configured on your domain. I don’t think MIAB configures this record for you (as it is not mandatory with MTA-STS) but you should be able to add the TXT record to your DNS manually, something like

_smtp._tls.your-domain  TXT "v=TLSRPTv1; rua=reporting-address"

@openletter Yes that matches.

_mta-sts.zcloudservices.com	TXT	v=STSv1; id=2AlfcYHIG7sYAGbC3gcB
Optional. Part of the MTA-STS policy for incoming mail. If set, a MTA-STS policy must also be published.

@blinkingline Understood about the two different things. I was thinking that perhaps the second could be causing the first but that doesn’t appear to be the case now.

Just to clarify, are you saying I should just be able to add a record like this:

_smtp._tls.zcloudservices.com TXT “v=TLSRPTv1; rua=reporting-address”

or do I need to edit the reporting-address part too? Sorry, I’m pretty new to this mail stuff!

reporting-address is the address where your TLS reports will be sent to. It can be a mailto: or it can be an address for an API or whatever you have that’s collecting the reports.

You also don’t HAVE to do either of these, since it’s not mandatory, in which case you would just ignore the warning from esmtp.email’s report

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.