If you are getting a lot of suspicious phishing emails despite setting up DKIM and SPM, you can verify your domain's email delivery strength by going to Google Workspace's Toolbox
https://toolbox.googleapps.com/apps/checkmx/check
1. Enter your domain name
2. You will see a list of all the issues with your domain
One of the issues that could lead to "MTA-STS TXT record must comply with RFC8461 MTA STS is malformed." is a lack of MTA-STS and TLS reporting in your DNS entries.
What is the SMTP MTA Strict Transport Security (MTA-STS)
The Standard adopted in 2018 (RFC 8461) creates a mechanism that specify whether to deliver to MX hosts if certain conditions for Transport Layer Security (TLS) in not met.
How to Fix the MTA STS is malformed error
You have to enable both TLS and STS reporting to fix this error
a) First Turn on TLS Reporting like below
How to Add TXT record for turning on TLS Reporting
1) DNS Host Name:
_smtp._tls.example.com (Replace example.com with your domain name)
2) TXT value
v=TLSRPTv1; rua=mailto:tlsrpt@example.com (Replace example.com with your domain name)
Replace tlsrpt with an existing email.
For multiple Email addresses (if you have dedicated email ids for reporting, separate by comma)
v=TLSRPTv1; rua=mailto:tlsrpt@example.com,mailto:mts-sts@example.com
b) Next, Turn on STS Reporting
How to Add TXT record for turning on STS Reporting
1) DNS Host Name: _mta-sts.example.com (Replace example.com with your domain name)
2) TXT value
v=STSv1; id=20190425085700
id here is a unique alphanumeric character (1-32). Use the yyyymmddhrmnsec format
yyyy - year
mm - month
dd - date
hr - hour
mn - minute
sc - second
After TLS and STS reporting is enabled (a and b), test again at
https://mxtoolbox.com/SuperTool.aspx?action=mta-sts
The Google Apps check will show an error without much to debug. MX Tool Box offers a better debugging message.
The next problem you have to solve is in adding a policy in your domain's web server
C) Create _mta-sts sub-domain and Add Policy File
For the Policy File to be fetched, you need a dedicated sub-domain
_mta-sts.example.com (here example.com should be replaced by your domain)
1) Create a dedicated folder for your _mta-sts sub-domain
Add a .well-known folder for your sub-domain so that your folder structure is like below
mta-sts/.well-known/mta-sts.txt
2) Create the policy file
vi mta-sts.txt (use nano or other popular editors)
version: STSv1
mode: testing
mx: mail1.example
mx: mail2.example
max_age: 86401
*Keep max_age to a low number to avoid the emails from bouncing during the testing. Keep mode as testing until you are sure that the TLS enforcement of your smtp is working
*mail1.example and mail2.example should be replaced by your mx entries
In the above case max_age is for 1 day (in seconds). You can lower it while testing
3) Create a sub-domain (_mta-sts.example.com where your domain should replace example.com ) and map it to the created folder at 1
4) Verify the following entries, customize it for your website and then take it live
<VirtualHost <your_server_ip_address>:443>
ServerName _mta-sts.your-domain
DocumentRoot /var/www/mta-sts
ErrorDocument 403 "403 Forbidden"
RewriteEngine On
RewriteOptions IgnoreInherit
RewriteRule !^/.well-known/mta-sts.txt - [L,R=403]
SSLCertificateFile /etc/ssl/certs/ssl-cert-mta-sts.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-mta-sts.key
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
5) Create a dedicated certificate ssl-cert-mta-sts using Let's Encrypt or other certificate providers and modify the key file locations above (bold)
6) Restart your server
7) You will get a daily report to the email address configured in rua with the following entry
google.com!<your-domain>!<timestamp>!<timestamp>!<reportnumber>.json.gz
8) Extract the gz and use a json interpreter
9) Search for the "summary" section in the json file
"summary": {
"total-successful-session-count": <total successful email through TLS>,
"total-failure-session-count": 0
}
If there are no failures, your SMTP emails through TLS is working