EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Today's Posts
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 1 Jul 2026, 06:52 PM   #1
tsphillips
Member
 
Join Date: Jan 2008
Location: Great Britain
Posts: 76
Fastmail support for MTA-STS

My country's National Cyber Security Centre says
"The privacy of emails sent to [my] domain is at risk.
"This domain does not have MTA-STS configured. This means that your email privacy (using TLS) is vulnerable to downgrade, allowing an attacker to read the contents of your emails."
Nine years ago, Neil Jenkins (Fastmail's Chief Product Officer) wrote
"Initiatives like MTA-STS will allow us to further protect against active man-in-the-middle attacks on mail delivery, and all without impacting usability" (my emphasis)
on Fastmail's blog at https://www.fastmail.com/blog/the-fa...urity-mindset/

Does Fastmail now support MTA-STS?
tsphillips is offline   Reply With Quote

Old 1 Jul 2026, 11:08 PM   #2
JeremyNicoll
Cornerstone of the Community
 
Join Date: Dec 2017
Location: Scotland
Posts: 868
Quote:
Originally Posted by tsphillips View Post
My country's National Cyber Security Centre says ... The privacy of emails sent to [my] domain is at risk. "This domain does not have MTA-STS configured."
I'm also in the UK ... How did you find this out - is there a NCSC check-your-domain (or something) feature? Or did somebody claiming to be the NCSC email you?


Quote:
Originally Posted by tsphillips View Post
Does Fastmail now support MTA-STS?
Why don't you ask them ... and then tell us - all users here - what they said?
JeremyNicoll is offline   Reply With Quote
Old 1 Jul 2026, 11:45 PM   #3
tsphillips
Member
 
Join Date: Jan 2008
Location: Great Britain
Posts: 76
Quote:
Originally Posted by JeremyNicoll View Post
I'm also in the UK ... How did you find this out - is there a NCSC check-your-domain (or something) feature?
Yes. The NCSC has a free "Check your email security" online tool, which you can access via this link
https://www.ncsc.gov.uk/blog-post/cy...tect-customers

Quote:
Originally Posted by JeremyNicoll View Post
Why don't you ask them ... and then tell us - all users here - what they said?
I have just asked Fastmail - and await their answer.
tsphillips is offline   Reply With Quote
Old 2 Jul 2026, 01:33 AM   #4
JeremyNicoll
Cornerstone of the Community
 
Join Date: Dec 2017
Location: Scotland
Posts: 868
If FM do support this - for your incoming mails, my reading suggests that you need your domain to have its own https web server to host a policy file.

Do you have a web server? Just possibly (if you don't) the policy file could be hosted in your domain's "Files" area - I'm not in a position to test this as I don't have a TLS certificate for my custom domain.


Separately ... do they support it when sending your (or in fact any FM customer)'s outbound emails to other people's servers?

Has anyone ever seen a "Delivery failed" status notfication saying a recipient's server isn't suffciently secure?
JeremyNicoll is offline   Reply With Quote
Old 2 Jul 2026, 08:58 AM   #5
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 9,133
Arrow FASTMAIL.COM MTA-STS support

You don’t say which domain you use for email. If it’s fastmail.com, then yes, Fastmail supports MTA-STS as follows (which can be confirmed using the free MXToolbox.com MTA-STS tool):
Code:
 version: STSv1 mode: testing mx: in1-smtp.messagingengine.com mx: in2-smtp.messagingengine.com max_age: 86400
As you can see, Fastmail announces that they support MTA-STS in testing mode. The possible modes available are:
  • Enforce: In this mode, Sending MTAs MUST NOT deliver the message to hosts that fail MX matching or certificate validation or that do not support STARTTLS.
  • Testing: In this mode, Sending MTAs that also implement the TLSRPT (TLS Reporting) specification (RFC8460) send a report indicating policy application failures (as long as TLSRPT is also implemented by the recipient domain); in any case, messages maybe delivered as though there were no MTA-STS validation failure.
  • None: In this mode, Sending MTAs should treat the Policy Domain as though it does not have any active policy; see Section 8.3, "Removing MTA-STS", for use of this mode value.

I use my own personal domain for email, and the DNS records for this domain are hosted at Fastmail. Fastmail does automatically add a number of DNS records automatically by default, but they don’t seem to be adding MTA-STS features for my personal domain.

Bill
n5bb is offline   Reply With Quote
Old 2 Jul 2026, 07:36 PM   #6
tsphillips
Member
 
Join Date: Jan 2008
Location: Great Britain
Posts: 76
Quote:
Originally Posted by tsphillips View Post
I have just asked Fastmail - and await their answer.
Fastmail has now answered - as follows
Quote:
We've had some progress, and we now have MTA-STS for the domains we offer(Eg: fastmail.co.uk). That said, we don't check for MTA-STS when sending emails to other servers. I've however forwarded this as a suggestion to the team concerned.
tsphillips is offline   Reply With Quote
Old Yesterday, 01:03 AM   #7
hadaso
Intergalactic Postmaster
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 5,221
Apparently users hosting domains at Fastmail can manually post the policy files for their domains and manually setuo the required TXT records. I'm not sure this is enough: to work it would also require that Fastmail have the right certificates and I'm not sure if these are for the mx servers or for each domain that is receiving mail. Somewhere I also read that it has to be setup separately for each subdomain receiving mail, so it becomes problematic for people using many subdomains.
hadaso is offline   Reply With Quote
Old Yesterday, 01:38 AM   #8
JeremyNicoll
Cornerstone of the Community
 
Join Date: Dec 2017
Location: Scotland
Posts: 868
FM's blog posts often push the idea that they are a brilliant place for businesses to host mail. Surely most such businesses would be using a corporate domain; not one of FM's 100+ (last time I looked) company domains?

Does the reply that "tsphillips" got mean incoming email for such custom domains isn't - by default - protected by MTA-STS (if the businesses set up the policy file on the business's web server & make the needed DNS changes, or ask FM to do that)?

If it isn't - by default - does it also mean that FM don't support it (by request, or for more money)?
JeremyNicoll is offline   Reply With Quote
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 07:00 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy