{"id":2264,"date":"2025-09-22T18:15:58","date_gmt":"2025-09-22T10:15:58","guid":{"rendered":"https:\/\/www.mailabc.cn\/blog\/?p=2264"},"modified":"2025-09-22T09:42:13","modified_gmt":"2025-09-22T01:42:13","slug":"%e9%82%ae%e4%bb%b6%e5%ae%89%e5%85%a8%e6%8a%80%e6%9c%af%ef%bc%9amta-sts","status":"publish","type":"post","link":"https:\/\/www.mailabc.cn\/blog\/2025\/09\/22\/%e9%82%ae%e4%bb%b6%e5%ae%89%e5%85%a8%e6%8a%80%e6%9c%af%ef%bc%9amta-sts\/","title":{"rendered":"\u90ae\u4ef6\u5b89\u5168\u6280\u672f\uff1aMTA-STS"},"content":{"rendered":"<section>\n<section>\n<section>MTA-STS\uff08<strong>Mail Transfer Agent Strict Transport Security<\/strong>\uff0c\u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u4e25\u683c\u4f20\u8f93\u5b89\u5168\uff09\u662f\u4e00\u79cd<strong>\u4fdd\u969c\u7535\u5b50\u90ae\u4ef6\u5728\u670d\u52a1\u5668\u4e4b\u95f4\u4f20\u8f93\u5b89\u5168\u6027\u7684\u6280\u672f\u6807\u51c6<\/strong>\uff0c\u6838\u5fc3\u76ee\u6807\u662f\u5f3a\u5236\u90ae\u4ef6\u670d\u52a1\u63d0\u4f9b\u5546\uff08ESP\uff09\u901a\u8fc7\u52a0\u5bc6\u7684 TLS \u534f\u8bae\u53d1\u9001\u548c\u63a5\u6536\u90ae\u4ef6\uff0c\u9632\u6b62\u90ae\u4ef6\u5728\u4f20\u8f93\u8fc7\u7a0b\u4e2d\u88ab\u7a83\u542c\u3001\u7be1\u6539\u6216\u52ab\u6301\u3002<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\n<h2><strong>MTA-STS \u7684\u6838\u5fc3\u4f5c\u7528<\/strong><\/h2>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\u4f20\u7edf\u7535\u5b50\u90ae\u4ef6\u4f20\u8f93\u4f9d\u8d56\u00a0SMTP \u534f\u8bae\uff0c\u4f46\u8be5\u534f\u8bae\u9ed8\u8ba4\u4e0d\u52a0\u5bc6\uff0c\u5b58\u5728\u4e24\u5927\u5173\u952e\u98ce\u9669\uff1a<\/p>\n<ul class=\"list-paddingleft-2\">\n<li><strong>\u201c\u964d\u7ea7\u653b\u51fb\u201d \u98ce\u9669\uff1a<\/strong>\u5373\u4f7f\u53cc\u65b9\u652f\u6301 TLS \u52a0\u5bc6\uff0c\u653b\u51fb\u8005\u4e5f\u53ef\u80fd\u4f2a\u9020 \u201c\u4e0d\u652f\u6301 TLS\u201d \u7684\u6307\u4ee4\uff0c\u8feb\u4f7f\u90ae\u4ef6\u4ee5\u660e\u6587\uff08\u672a\u52a0\u5bc6\uff09\u65b9\u5f0f\u4f20\u8f93\uff0c\u5bfc\u81f4\u5185\u5bb9\u6cc4\u9732\u3002<\/li>\n<li>\u201c<strong>\u4e2d\u95f4\u4eba\u653b\u51fb\uff08MITM\uff09\u201d \u98ce\u9669\uff1a<\/strong>\u653b\u51fb\u8005\u53ef\u80fd\u5192\u5145\u76ee\u6807\u90ae\u4ef6\u670d\u52a1\u5668\uff0c\u9a97\u53d6\u53d1\u9001\u65b9\u4fe1\u4efb\u5e76\u62e6\u622a\u90ae\u4ef6\uff0c\u751a\u81f3\u7be1\u6539\u90ae\u4ef6\u5185\u5bb9\u3002<\/li>\n<\/ul>\n<p>MTA-STS \u901a\u8fc7\u4ee5\u4e0b\u673a\u5236\u89e3\u51b3\u8fd9\u4e9b\u95ee\u9898\uff1a<\/p>\n<ul class=\"list-paddingleft-2\">\n<li><strong>\u5f3a\u5236 TLS \u52a0\u5bc6\uff1a<\/strong>\u8981\u6c42\u53d1\u9001\u65b9\uff08MTA\uff09\u5fc5\u987b\u4f7f\u7528 TLS \u4e0e\u63a5\u6536\u65b9\u670d\u52a1\u5668\u901a\u4fe1\uff0c\u82e5\u65e0\u6cd5\u5efa\u7acb TLS \u8fde\u63a5\uff0c\u5219\u76f4\u63a5\u62d2\u7edd\u53d1\u9001\uff08\u800c\u975e\u964d\u7ea7\u4e3a\u660e\u6587\uff09\u3002<\/li>\n<li><strong>\u9a8c\u8bc1\u670d\u52a1\u5668\u8eab\u4efd\uff1a<\/strong>\u53d1\u9001\u65b9\u9700\u901a\u8fc7\u63a5\u6536\u65b9\u9884\u5148\u516c\u5e03\u7684 \u201c\u4fe1\u4efb\u951a\u201d\uff08\u5982 SSL \u8bc1\u4e66\u6307\u7eb9\uff09\u9a8c\u8bc1\u670d\u52a1\u5668\u8eab\u4efd\uff0c\u9632\u6b62\u88ab\u4f2a\u9020\u7684\u670d\u52a1\u5668\u6b3a\u9a97\u3002<\/li>\n<\/ul>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\n<h2><strong>MTA-STS \u7684\u5de5\u4f5c\u539f\u7406<\/strong><\/h2>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>MTA-STS \u7684\u8fd0\u884c\u4f9d\u8d56 \u201c\u57df\u540d\u9a8c\u8bc1\u2192\u7b56\u7565\u83b7\u53d6\u2192\u52a0\u5bc6\u4f20\u8f93\u201d \u4e09\u4e2a\u6838\u5fc3\u6b65\u9aa4\uff0c\u9700\u53d1\u9001\u65b9\u548c\u63a5\u6536\u65b9\uff08\u90ae\u4ef6\u670d\u52a1\u5668\uff09\u534f\u540c\u914d\u5408\u3002<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\n<h3><strong>\u63a5\u6536\u65b9\uff1a\u914d\u7f6e MTA-STS \u7b56\u7565\uff08\u5173\u952e\u524d\u63d0\uff09<\/strong><\/h3>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\u63a5\u6536\u65b9\uff08\u5982\u4f01\u4e1a\u90ae\u7bb1\u670d\u52a1\u5546\uff09\u9700\u63d0\u524d\u5b8c\u6210\u4e24\u9879\u914d\u7f6e\uff0c\u5411\u5168\u7f51\u58f0\u660e\u81ea\u5df1\u7684\u5b89\u5168\u89c4\u5219\uff1a<strong>\u6b65\u9aa4 1\uff1a\u53d1\u5e03 MTA-STS \u7b56\u7565\u6587\u4ef6<br \/>\n<\/strong>\u5728\u81ea\u5df1\u7684\u57df\u540d\u4e0b\u6258\u7ba1\u4e00\u4e2a JSON \u683c\u5f0f\u7684\u7b56\u7565\u6587\u4ef6\uff0c\u6587\u4ef6\u8def\u5f84\u56fa\u5b9a\u4e3a\uff1ahttps:\/\/mta-sts.&lt;\u63a5\u6536\u65b9\u57df\u540d&gt;\/.well-known\/mta-sts.txt<br \/>\n\u4f8b\u5982\uff0c Gmail \u7684\u7b56\u7565\u6587\u4ef6\u8def\u5f84\u4e3a <a href=\"https:\/\/mta-sts.gmail.com\/.well-known\/mta-sts.txt\u3002\u7b56\u7565\u6587\u4ef6\u9700\u5305\u542b\u6838\u5fc3\u89c4\u5219\uff0c\u793a\u4f8b\u5982\u4e0b\uff08\u5177\u4f53\u8981\u6c42\u53ef\u4ee5\u53c2\u8003\u6587\u672bRFC8461\uff09\uff1a\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/mta-sts.gmail.com\/.well-known\/mta-sts.txt\u3002\u7b56\u7565\u6587\u4ef6\u9700\u5305\u542b\u6838\u5fc3\u89c4\u5219\uff0c\u793a\u4f8b\u5982\u4e0b\uff08\u5177\u4f53\u8981\u6c42\u53ef\u4ee5\u53c2\u8003\u6587\u672bRFC8461\uff09\uff1a<\/a><\/section>\n<\/section>\n<\/section>\n<section class=\"code-snippet__fix code-snippet__js\">\n<pre class=\"code-snippet__js\" data-lang=\"c\"><code><span class=\"code-snippet_outer\">version: STSv1<\/span><\/code><code><span class=\"code-snippet_outer\">mode: enforce<\/span><\/code><code><span class=\"code-snippet_outer\">mx: gmail-smtp-in.l.google.com<\/span><\/code><code><span class=\"code-snippet_outer\">mx: *.gmail-smtp-in.l.google.com<\/span><\/code><code><span class=\"code-snippet_outer\">max_age: <span class=\"code-snippet__number\">86400<\/span><\/span><\/code><\/pre>\n<\/section>\n<section>\n<section>\n<section><strong>\u6b65\u9aa4 2\uff1a\u914d\u7f6e DNS TXT \u8bb0\u5f55\uff08\u9a8c\u8bc1\u6240\u6709\u6743\uff09<br \/>\n<\/strong>\u5728\u63a5\u6536\u65b9\u57df\u540d\u7684 DNS \u4e2d\u6dfb\u52a0\u4e00\u6761 TXT \u8bb0\u5f55\uff0c\u683c\u5f0f\u4e3a\uff1a_mta-sts.&lt;\u63a5\u6536\u65b9\u57df\u540d&gt; IN TXT &#8220;v=STSv1; id=&lt;\u552f\u4e00\u6807\u8bc6&gt;&#8221;\uff0c\u5176\u4e2d\u00a0&lt;\u552f\u4e00\u6807\u8bc6&gt;\u00a0\u662f\u7b56\u7565\u6587\u4ef6\u7684\u7248\u672c\u53f7\uff08\u5982\u65f6\u95f4\u6233\uff09\uff0c\u7528\u4e8e\u544a\u77e5\u53d1\u9001\u65b9 \u201c\u7b56\u7565\u5df2\u66f4\u65b0\u201d\u3002Gmail\u7684DNS\u8bb0\u5f55\u793a\u4f8b\u5982\u4e0b\uff1a<\/section>\n<\/section>\n<\/section>\n<section class=\"code-snippet__fix code-snippet__js\">\n<pre class=\"code-snippet__js\" data-lang=\"c\"><code><span class=\"code-snippet_outer\">[root@localhost ~]<span class=\"code-snippet__meta\"># dig +short _mta-sts.gmail.com txt <\/span><\/span><\/code><code><span class=\"code-snippet_outer\"><span class=\"code-snippet__string\">\"v=STSv1; id=20190429T010101;\"<\/span><\/span><\/code><\/pre>\n<\/section>\n<section>\n<section>\n<section>\n<h3><strong>\u53d1\u9001\u65b9\uff1a\u9a8c\u8bc1\u5e76\u6267\u884c\u7b56\u7565<\/strong><\/h3>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\u5f53\u53d1\u9001\u65b9\uff08\u5982\u4f01\u4e1a\u90ae\u4ef6\u670d\u52a1\u5668\uff09\u5411\u76ee\u6807\u57df\u540d\u53d1\u9001\u90ae\u4ef6\u65f6\uff0c\u4f1a\u81ea\u52a8\u6267\u884c\u4ee5\u4e0b\u64cd\u4f5c\uff1a<\/p>\n<ul class=\"list-paddingleft-2\">\n<li><strong>\u67e5\u8be2 DNS TXT \u8bb0\u5f55\uff1a<\/strong>\u68c0\u67e5\u76ee\u6807\u57df\u540d\u662f\u5426\u5b58\u5728\u00a0_mta-sts\u00a0\u7684 TXT \u8bb0\u5f55\uff0c\u786e\u8ba4\u5bf9\u65b9\u652f\u6301 MTA-STS\u3002<\/li>\n<li><strong>\u83b7\u53d6\u7b56\u7565\u6587\u4ef6\uff1a<\/strong>\u901a\u8fc7 HTTPS \u8bbf\u95ee\u76ee\u6807\u57df\u540d\u7684\u00a0mta-sts.txt\u00a0\u6587\u4ef6\u3002\u53d1\u9001\u65b9\u4f1a\u89e3\u6790\u8be5\u6587\u4ef6\uff0c\u4ece\u4e2d\u63d0\u53d6\u51fa MX \u8bb0\u5f55\u7b49\u4fe1\u606f\u3002\u7b56\u7565\u6587\u4ef6\u4e2d\u4f1a\u5217\u51fa\u5141\u8bb8\u63a5\u6536\u90ae\u4ef6\u7684 MX \u4e3b\u673a\u540d\u3002<\/li>\n<li><strong>\u7b56\u7565\u6821\u9a8c\uff1a<\/strong>\u6240\u8981\u8fde\u63a5\u7684 MX \u8bb0\u5f55\u540d\u5fc5\u987b\u88ab\u7b56\u7565\u4e2d\u7684\u4efb\u4e00 mx: \u6a21\u5f0f\u5339\u914d\uff1b\u6536\u4ef6 MTA \u5fc5\u987b\u652f\u6301 STARTTLS\uff0c\u5e76\u5728\u63e1\u624b\u65f6\u51fa\u793a\u94fe\u5230\u53d7\u4fe1\u6839\u7684\u8bc1\u4e66\uff1b\u8bc1\u4e66 SAN\uff08DNS-ID\uff09\u5fc5\u987b\u4e0e\u76ee\u6807 MX \u4e3b\u673a\u540d\u5339\u914d\u3002<\/li>\n<li><strong>\u7b56\u7565\u5e94\u7528\uff1a<\/strong><\/li>\n<\/ul>\n<p>\u6839\u636e\u7b56\u7565\u91cc\u7684 mode \u51b3\u5b9a\u5931\u8d25\u65f6\u7684\u5904\u7406\u65b9\u5f0f\uff1a<\/p>\n<p><strong>enforce\uff1a<\/strong><strong>\u4e25\u683c\u6a21\u5f0f\u3002<\/strong>\u82e5 MX \u4e0d\u5339\u914d \/ \u6ca1 STARTTLS \/ \u8bc1\u4e66\u65e0\u6548\uff0c\u5219\u4e0d\u5141\u8bb8\u6295\u9012\u5230\u8be5\u4e3b\u673a\uff1b\u904d\u5386\u4e0b\u4e00\u4e2a\u5019\u9009 MX\u3002\u82e5\u6700\u7ec8\u90fd\u5931\u8d25\uff0c\u4f5c\u4e3a\u6682\u65f6\u6027\u9519\u8bef 4xx \u91cd\u8bd5\uff08\u4e0d\u5f97\u7acb\u523b\u6c38\u4e45\u5931\u8d25\uff09\uff0c\u7ed9\u7b56\u7565\u66f4\u65b0\u7559\u51fa\u7a97\u53e3\u3002<\/p>\n<p><strong>testing\uff1a\u89c2\u6d4b\u6a21\u5f0f\u3002<\/strong>\u5373\u4fbf\u9a8c\u8bc1\u5931\u8d25\u4e5f\u53ef\u4ee5\u50cf\u672a\u90e8\u7f72\u4e00\u6837\u6295\u9012\uff1b\u82e5\u540c\u65f6\u90e8\u7f72\u4e86 TLSRPT\uff0c\u53d1\u4ef6\u65b9\u4f1a\u53d1\u51fa\u5931\u8d25\u62a5\u544a\uff0c\u4fbf\u4e8e\u4f60\u89c2\u5bdf\u4e0a\u7ebf\u98ce\u9669\u3002<\/p>\n<p><strong>none\uff1a\u5173\u95ed\/\u64a4\u9500\u3002<\/strong>\u5f53\u4f5c\u672a\u90e8\u7f72\u5904\u7406\uff1b\u5e38\u7528\u4e8e\u5e73\u6ed1\u4e0b\u7ebf<\/p>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\n<h2><strong>MTA-STS \u4e0e\u5176\u4ed6\u90ae\u4ef6\u5b89\u5168\u6280\u672f\u7684\u533a\u522b<\/strong><\/h2>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\u90ae\u4ef6\u5b89\u5168\u6d89\u53ca\u591a\u4e2a\u5c42\u9762\uff0cMTA-STS \u4e0e\u5e38\u89c1\u7684 SPF\u3001DKIM\u3001DMARC \u5b9a\u4f4d\u4e0d\u540c\uff0c\u9700\u534f\u540c\u4f7f\u7528\uff1a<\/section>\n<\/section>\n<\/section>\n<section>\n<section><a href=\"https:\/\/www.mailabc.cn\/blog\/wp-content\/uploads\/2025\/09\/2025092201371078.webp\"><img class=\"aligncenter size-large wp-image-2265\" data-original=\"https:\/\/www.mailabc.cn\/blog\/wp-content\/uploads\/2025\/09\/2025092201371078-1024x242.webp\"  alt=\"\" \/><\/a><\/section>\n<noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"242\" class=\"aligncenter size-large wp-image-2265\" src=\"https:\/\/www.mailabc.cn\/blog\/wp-content\/uploads\/2025\/09\/2025092201371078-1024x242.webp\" alt=\"\" \/><\/a><\/section><\/noscript>\n<\/section>\n<section>\n<section>\n<section>\u7b80\u5355\u6765\u8bf4\uff1a<strong>MTA-STS \u4fdd\u969c \u201c\u4f20\u8f93\u5b89\u5168\u201d<\/strong>\uff0c<strong>SPF\/DKIM\/DMARC \u4fdd\u969c \u201c\u8eab\u4efd\u4e0e\u5185\u5bb9\u5b8c\u6574\u6027\u201d<\/strong>\uff0c\u4e8c\u8005\u7ed3\u5408\u53ef\u6784\u5efa\u66f4\u5168\u9762\u7684\u90ae\u4ef6\u5b89\u5168\u4f53\u7cfb\u3002<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section><strong>MTA-STS \u7684\u9002\u7528\u573a\u666f<\/strong><\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>MTA-STS \u4e3b\u8981\u9002\u7528\u4e8e\u5bf9\u90ae\u4ef6\u5b89\u5168\u6027\u8981\u6c42\u8f83\u9ad8\u7684\u573a\u666f\uff0c\u4f8b\u5982\uff1a<\/p>\n<ul class=\"list-paddingleft-2\">\n<li>\u4f01\u4e1a\u90ae\u7bb1\uff1a\u4fdd\u62a4\u5185\u90e8\u5458\u5de5\u4e0e\u5916\u90e8\u5ba2\u6237 \/ \u5408\u4f5c\u4f19\u4f34\u4e4b\u95f4\u7684\u90ae\u4ef6\u4f20\u8f93\uff08\u5982\u5408\u540c\u3001\u8d22\u52a1\u6570\u636e\u7b49\u654f\u611f\u4fe1\u606f\uff09\u3002<\/li>\n<li>\u653f\u52a1 \/ \u91d1\u878d\u673a\u6784\uff1a\u6ee1\u8db3\u5408\u89c4\u8981\u6c42\uff08\u5982 GDPR\u3001\u7b49\u4fdd 2.0\uff09\uff0c\u9632\u6b62\u654f\u611f\u653f\u52a1\u3001\u91d1\u878d\u6570\u636e\u6cc4\u9732\u3002<\/li>\n<li>\u5927\u578b\u90ae\u4ef6\u670d\u52a1\u5546\uff1a\u5982 Gmail\u3001Outlook \u7b49\uff0c\u5df2\u5168\u9762\u652f\u6301 MTA-STS\uff0c\u63d0\u5347\u5168\u7403\u90ae\u4ef6\u4f20\u8f93\u7684\u5b89\u5168\u6027\u3002<\/li>\n<\/ul>\n<\/section>\n<\/section>\n<\/section>\n<section>\n<section>\n<section>\n<section><\/section>\n<\/section>\n<\/section>\n<section><\/section>\n<section>\n<section>\n<section><\/section>\n<\/section>\n<\/section>\n<\/section>\n<section><em>\u53c2\u8003\u6765\u6e90\uff1a<\/em><em>1. RFC 8461\uff1a<a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc8461\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/www.rfc-editor.org\/rfc\/rfc8461<\/a><\/em><em>2.<a href=\"https:\/\/learn.microsoft.com\/zh-cn\/purview\/enhancing-mail-flow-with-mta-sts\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/learn.microsoft.com\/zh-cn\/purview\/enhancing-mail-flow-with-mta-sts<\/a><\/em>3.<a href=\"https:\/\/dmarcly.com\/blog\/zh-CN\/how-to-set-up-mta-sts-and-tls-reporting\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/dmarcly.com\/blog\/zh-CN\/how-to-set-up-mta-sts-and-tls-reporting<\/a><\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>MTA-STS\uff08Mail Transfer Agent Strict Transport Security\uff0c\u90ae [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2268,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[171],"tags":[172],"class_list":["post-2264","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-171","tag-mta-sts"],"_links":{"self":[{"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/posts\/2264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/comments?post=2264"}],"version-history":[{"count":4,"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/posts\/2264\/revisions"}],"predecessor-version":[{"id":2270,"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/posts\/2264\/revisions\/2270"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/media\/2268"}],"wp:attachment":[{"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/media?parent=2264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/categories?post=2264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mailabc.cn\/blog\/wp-json\/wp\/v2\/tags?post=2264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}