TLDR: You are right about the mta-sts subdomain, I missread some info I got. However, the A and AAAA records are necessary as per my experience, but not necessarily need to point to miab server… that part could be improved.
The long part now:
No, you don’t, but it still shows as an error on status check, one like this:
This domain should resolve to this box’s IP address (A xxx.xxx.xxx.xxx) if you would like the box to serve webmail or a website on this domain. The domain currently resolves to yyy.yyy.yyy.yyy in public DNS. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here.
I believed the same, until I got some email delivery errors staying in the response that it was due to the lack of an AAAA record on the main domain. Adding that to my DNS solved the issue.
You are right here. I missread an email I received yesterday at my postmaster account (at first I though it was some scam as many other times, however, after reading it carefully and doing some checks, I found it to be legit). The email stated this, but I missed the mta-sts subdomain in the error message.
Hello,
We are a group of security researchers from Virginia Tech and the Max Planck Institute for Informatics currently conducting a study on MTA-STS (Mail Transfer Agent Strict Transport Security) configurations across various domains.
During our most recent scan on September 29th, 2024, we identified potential issue(s) with your domain [domain.tld]
. Specifically, we encountered the following error(s):
1.We were unable to resolve the policy host. We attempted to retrieve your policy from https://mta-sts.[domain.tld]/.well-known/mta-sts.txt
We are reaching out as you may not be aware of this issue. Addressing these issue(s) is important as it may impact how emails are delivered for your domain.
I added the .well-known mta-sts thing to all my domains, but I clearly was mistaken and I can undo that now. I’ll let the email sender know.
So forget about the "Status check agains .well=known/mta-sts.txt check request. But I can start another thread about the main domain A/AAAA records showing as an error if you think it will be usefull… my proposal would be to show an error if they are not set, but a warning or even an OK if they are, even if they point to a different IP.