The service seems to be struggling to resolve DNS entries that are, in fact, publicly resolvable. Try running the "gmail.com" domain and you'll see the errors.

Hi

MTA-SMS validator is a great service.

I have just implementated an improvement in the configuration of a server, but MTA-SMS validator still suggests the same improvement.

The reason may be that MTA-SMS validator still presents the result from before I made the improvement. That would be perfectly ok if

• the test result gave an indication on when it was established
• the test result gave an indication on how to get an updated result (e.g. wait for an hour or a day, or hit this and that button)

Hi,

Our MTA-STS is working fine, but we get an error on the MTA-STS check which looks like it's due to the tool giving an error after checking the certificates of the first 6 MX records. As Gmail use 7 records currently it might be worth considering upping the number of certificate checks to ensure that the check completes successfully. :)

https://aykevl.nl/apps/mta-sts/ doesn't work for any mail domain that I tried.

I have an IPv6 only site (https://mta-sts.forfun.net/.well-known/mta-sts.txt) and it can't be reached by the test (https://aykevl.nl/apps/mta-sts/):

Error: Could not connect to the HTTPS server: [Errno 101] Network is unreachable.

Is this something to improve, perhaps?

posteo.de uses a small max_age value of five minutes.

max_age: 300

The service reports the warning below.

Error: Very short max_age field specified. It is less than a day with 0.003472222222222222 seconds. The suggested amount is at least in the order of weeks (this validator uses 28 days).

As the unit for max_age is integer seconds, shouldn’t it say 300 seconds in the message?

Hey

Can you upgrade python to 3.7 or make it continue checking MTA-STS files if https cert checking fails?

Currently I hit this bug when trying to verify my domain: https://bugs.python.org/issue28414

import http, ssl

host = "xn--sb-lka.org"
context = context = ssl.create_default_context()
conn = http.client.HTTPSConnection(host, timeout=10, context=context)

conn.request('GET', f'https://{host}/')
# CertificateError: hostname 'søb.org' doesn't match 'xn--sb-lka.org'

The RFC 8461 defines:

   sts-text-record = sts-version 1*(sts-field-delim sts-field)
                     [sts-field-delim]

   sts-field-delim = *WSP ";" *WSP

   sts-version     = %s"v=STSv1"

So based on that the "v=STSv1 ;" should be considered valid. The RFC only states that:

If multiple TXT records for "_mta-sts" are returned by the resolver,
records that do not beginwith "v=STSv1;" are discarded.

Examples (inside array, number of TXT records):
["v=STSv1; id=1234"] -> valid
["v=STSv1 ; id=1234"] -> valid
["v", "v=STSv1; id=1234"] -> valid (second)
["v", "v=STSv1 ; id=1234"] -> invalid (all)

I tested my domain on your online testing site and I always got TLSRPT failed.
Error: Cannot resolve DNS: domain _smtp-tlsrpt.mxdove.com does not exist.

Is there problem with my DNS setting?
My test shows:
# dig _smtp-tlsrpt.mxdove.com TXT +short
"v=TLSRPTv1\; rua=mailto:[email protected]."

Thanks for help.

Error: SSL error while connecting to the HTTPS server: TLSV1_ALERT_INTERNAL_ERROR.

Try forfun.net.
(https://mta-sts.forfun.net/.well-known/mta-sts.txt is there, but the test can't seem to find it)

Hello,

the validator code warn on a max_age value shorter then 4 weeks

What's the rationale behind this selection?
RFC 8461 only say

To mitigate the risks of attacks at policy refresh
time, it is expected that this value typically be in the range of
weeks or greater.

why did you choose 4 weeks ?

Andreas

Seem to be having validation issues when checking IDNs with .クラウド or .xn--gckr3f0f TLD.

My mail server (mail.koehn.com, used by domain koe.hn) uses a wildcard TLS certificate (*.koehn.com). Your otherwise fantastic tool doesn't recognize that this certificate is valid for this server.

Thanks for the handy tool!