STARTTLS Policy List
The STARTTLS Policy List is a list of email domains who meet a minimum set of security requirements. By providing a list of email domains that support TLS encryption and present valid certificates, the STARTTLS Policy List gives mailservers another point of reference to discover whether other mailservers support STARTTLS.
You can verify the list with the corresponding PGP signature. You can also read more about a detailed specification of the list’s format.
Using the list
An abridged way for fetching and verifying the policy list might be to run the following commands in a writable directory:
wget https://dl.eff.org/starttls-everywhere/policy.json wget https://dl.eff.org/starttls-everywhere/policy.json.asc wget https://dl.eff.org/starttls-everywhere/public-key.txt gpg --dearmor public-key.txt gpg --verify --keyring ./public-key.txt.gpg policy.json.asc policy.json
We recommend using our update_and_verify.sh script, which does the above and performs more checks. If you are actively using the list, you must fetch updates at least once every 48 hours. We provide a sample cronjob to do this.
Every policy JSON has an expiry date in the top-level configuration, after which we cannot guarantee deliverability if you are using the expired list.
Behavior
A domain’s policy, enforce or testing, asks that relays which connect to that domain’s MX server and cannot initiate a TLS connection to possibly abort sending and report what went wrong to the target domain. That is the behavior specified by SMTP MTA Strict Transport Security (MTA-STS), an upcoming protocol which this Policy List aims to complement by providing an alternative method for advertising a mail server’s security policy.
Tooling
Our starttls-policy Python package can fetch updates to and iterate over the existing list. If you use Postfix, we provide utilities to transform the policy list into configuration parameters that Postfix understands.
We welcome contributions for different MTAs!
Submitting your domain to the list
When submitting your domain to the list through this form, you must provide and verify:
- A contact email used by STARTTLS Everywhere to notify the mailserver administrator of any deliverablity concerns. (We won’t use this email for any other purpose).
- A list of expected hostnames for your server. At least one of the names on each mailserver’s certificate should match one of these patterns.
- These can be a suffix, like
.eff.org, or a fully-qualified domain name, likemx.eff.org. Suffixes will only match one subdomain label, so.eff.orgwould match names*.eff.organdmx.eff.org, but notgood.mx.eff.orgor*.mx.eff.org.
- These can be a suffix, like
Validation
You can use our email security checker to evaluate your email domain’s eligibility for addition to the STARTTLS policy list. The requirements are that your domain:
- Supports STARTTLS.
- Does not support SSLv2/v3.
- Provides a valid certificate. Validity means:
- By default, the certificate’s Common Name or a subjectAltName matches either the email domain, or the server hostname.
- If this check is being performed against a policy entry, we validate the certificate’s name against the set of hostname patterns entered for the policy.
- The certificate is unexpired.
- There is a valid chain from the certificate to a root included in Mozilla’s trust store (available as Debian package ca-certificates).
- By default, the certificate’s Common Name or a subjectAltName matches either the email domain, or the server hostname.
Before adding a domain to the list, we continue to perform validation against the mailserver for at least one week. If it fails at any point, it must be resubmitted.
With that in mind, you can queue your mail domain for the STARTTLS policy list. Alternatively, you can send an email to starttls-policy@eff.org or submit a pull request to add your domain.
Continued requirements
Failure to continue meeting these requirements could result in deliverability issues to your mailserver, from any mail clients configured to use the STARTTLS policy list.
We continue to validate all the domains on the list daily. If we notice any oddities, we will notify the contact email associated with the policy submission and urge you to either update or remove your policy.
Updating or removing your policy entry on the list
If you’re migrating email hosting, you’ll need to update the MX hostnames associated with your domain’s policy.
If you’d like to request removal from the list, or an update to your policy entry (or associated contact email), contact us at starttls-policy@eff.org
Adding pins to the list
We also accept requests to pin intermediate certificate public keys. Although this option gives operators flexibility in trust, key pinning carries higher risks of breakage and is more difficult to do correctly. As such, these requests will be judged on a case-by-case basis.
This basis will be determined by the site operator’s understanding of the following:
- How to generate and use a leaf key backup pin.
- Changing to a certificate chain outside the pinset will break deliverability to your mailserver.
- Removing a preloaded pin may take as long as a week.
We will require a form of DNS validation (to submit a TXT record for the email domain with a challenge of our choice) in order to validate that the pinning request comes from the site operator. To pin your mailserver, contact us with more information about your request at starttls-policy@eff.org.