Email security Strict transport policies for XEION managed mail domains.

mta-sts.yourdomain.com
Secure transport for business email.

This host publishes the MTA-STS policy for domains operated by XEION GmbH. It tells other mail systems how to reach our MX hosts securely and which TLS requirements to enforce — reducing downgrade attacks and MX spoofing for mail traffic to our domains.

Policy host mta-sts.xeion.de

Scope XEION operated and delegated mail domains

Standards RFC 8461 (MTA-STS) · RFC 8460 (TLSRPT)

Why MTA-STS? ↘ Technical details for admins

Service snapshot Operated by XEION GmbH

Always-on HTTPS

Hardened TLS

Monitored MX

Host: mta-sts.xeion.de

Dedicated policy endpoint used by external MTAs to validate how email should be delivered securely to XEION-managed mail domains.

Policy type MTA-STS

Policy access /.well-known/mta-sts.txt

TLS reporting Supported

The policy file itself is authoritative. This page is informational.

Why MTA-STS?

SMTP was never designed with modern transport security in mind. MTA-STS adds a strict, machine-readable policy on top.

Integrity

Protecting against downgrade attacks

Without a strict policy, an attacker can try to strip TLS or redirect mail to an attacker-controlled MX host. MTA-STS allows us to publish which MX hosts are valid and that TLS is required.

Enforces STARTTLS for supported senders
Blocks delivery to untrusted MX endpoints
Reduces risk of in-transit content inspection

Visibility

Signalling our expectations to the internet

With MTA-STS and TLS reporting, external MTAs know that we expect encrypted transport and can report issues if something goes wrong.

Clear signal: “Use TLS when sending to us”
Central place to maintain our MX policy
Less guesswork for other mail providers

Operations

Operational control for managed domains

All changes to MX infrastructure can be aligned with a consistent policy and rollout process managed by XEION GmbH.

Policy-managed MX changes
Central place to deprecate legacy MX hosts
Aligns with other hardening measures (SPF, DKIM, DMARC)

For mail administrators

How other MTAs interact with mta-sts.xeion.de and where to find the authoritative policy information.

How this host is used

The host mta-sts.xeion.de acts as the policy endpoint for XEION-managed mail domains that opt in to MTA-STS.

External MTAs first look up the MTA-STS TXT record of the target domain.
If enabled, they fetch the corresponding policy from this host via HTTPS.
The policy describes acceptable MX hostnames and the required TLS mode.

GET https://mta-sts.xeion.de/.well-known/mta-sts.txt

What you need to configure

If you run a modern mail system that supports MTA-STS and TLSRPT, you typically do not have to configure anything specific for this host – as long as you respect the MTA-STS and TLS reporting standards.

We maintain the policy file on this host.
Your MTA should automatically discover and cache it when sending to our domains.
The policy file itself is the only authoritative source for policy details.

# Always rely on the published policy file
# This page is informational only.

TLS reporting (TLSRPT)

Where configured, we can receive TLSRPT aggregate reports for delivery attempts to XEION-managed domains. This allows us to detect:

Repeated TLS handshake problems to our MX hosts,
Misconfigurations after MX or certificate changes,
Potential downgrade attempts or unexpected routing behaviour.

RFC 8460 (SMTP TLS Reporting) is used to send JSON-based
aggregate reports to a designated reporting destination.

Contact & escalation

If you operate an email system and observe issues when trying to deliver mail to XEION-managed domains (for example due to MTA-STS enforcement), please contact us with:

The affected sending domain and IP range,
Target domain and MX you attempted to reach,
Relevant error messages or log excerpts,
Approximate timeframe of the issue.

Contact

www.xeion.de

Note

Do not include real message content or personal data in your reports. Transport-level diagnostics (timestamps, error texts) are sufficient.