Recommended DNS Records (TLSRPT, MTA-STS)

While MX, SPF, DKIM, and DMARC are mandatory for basic delivery, TrekMail recommends three additional records to tighten security and improve deliverability reporting. Adding these will remove the "Warning" status from your domain health.

Who this is for

• Admins who want the highest security score.
• Users seeing "Active (Warnings)" on their domain.

The Recommended Records

You will find these in the DNS & Health tab under the Spam protection section.

1. TLS Reporting (TLSRPT)

Host: _smtp._tls Value: v=TLSRPTv1; rua=mailto:tlsrpt@trekmail.net

This record tells senders like Google and Microsoft where to send reports if they have trouble connecting securely to your domain. TrekMail collects these reports to monitor your deliverability health.

2. MTA-STS (Strict Transport Security)

MTA-STS typically requires setting up a web server to host a policy file. TrekMail handles this for you via a CNAME record. You need two records for this to work:

The Policy ID (TXT)

Host: _mta-sts Value: v=STSv1; id=<auto-assigned> (TrekMail sets the ID automatically — copy the exact value from your dashboard) This simply tells the world "I have a policy, and this is the current version ID."

The Policy Host (CNAME)

Host: mta-sts Value: mta-sts.trekmail.net This points the subdomain mta-sts.yourdomain.com to our servers, where we serve the required HTTPS policy file automatically.

[!NOTE] Provisioning Delay: After you add these DNS records and verify your domain, TrekMail automatically provisions a dedicated SSL certificate for mta-sts.yourdomain.com. This process can take up to 10 minutes. Until provisioning is complete, you might see "Provisioning" or "Pending" status for MTA-STS in the admin panel.

Note: This feature requires server-side provisioning to be enabled.

MTA-STS Status States

After adding your DNS records, TrekMail automatically provisions your MTA-STS certificate. You may see one of these statuses:

Common mistakes & quick fixes

• Symptom: Domain is "Active (Warnings)".

  • Cause: One or more of these recommended records is missing.
  • Fix: Add them to your DNS. They are not strictly required for mail flow, but they help reputation.

• Symptom: MTA-STS shows "Blocked (DNS)".

  • Cause: The mta-sts CNAME record is missing.
  • Fix: Add a CNAME record: Host = mta-sts, Value = mta-sts.trekmail.net

• Symptom: MTA-STS shows "Blocked (Cloudflare)".

  • Cause: Cloudflare is proxying the mta-sts subdomain (orange cloud icon).
  • Fix: In Cloudflare DNS settings, click the orange cloud icon on the mta-sts CNAME to toggle it to "DNS only" (grey cloud). Only this subdomain needs to be unproxied; your main domain can stay proxied.

• Symptom: MTA-STS shows "Degraded".

  • Cause: The endpoint was working but became unreachable.
  • Fix: Check that (1) the CNAME still points to mta-sts.trekmail.net, (2) Cloudflare proxy is disabled for this subdomain, and (3) there are no firewall rules blocking access.

• Symptom: CNAME Conflict on mta-sts.

  • Cause: You might have an old CNAME or A record for mta-sts.
  • Fix: Delete the old record and replace it with the one pointing to mta-sts.trekmail.net.

• Symptom: TXT Hostname confusion.

  • Tip: Ensure your DNS provider doesn't require the full domain. Usually _mta-sts is enough. If you type _mta-sts.example.com, some providers might create _mta-sts.example.com.example.com.