I am 2+ weeks after deploying MTA-STS policy in testing mode. I am getting TLS Reporting from several domains. Google Inc reports “no policy found”. All other domains find and apply the sts policy. All domains report 100% success.
I’m stumped why Google Inc isn’t recognizing the policy. No error reports. 100% success.
Dmarcian TLS inspector shows all ok. Policy Text and url:
https://example.com/.well-known/mta-sts.txt :
version: STSv1
Mode: testing
mx: mydomain-com.mail.protection.outlook.c…
max_age: 600
Btw. There are no restrictions in .htaccess and can see successful 200 for domains that access the policy url, including Google.
POSSIBLE UPDATE: I noticed an update on an article MTA-STS explained that "Google will only process policies with a max_age higher than 86000 seconds. Policies with a max_age of 86000 or lower will be ignored and a daily no-policy-found report will be sent if TLS-RPT is enabled ."
I’ve modified the .wellknown/mta-sts.txt file to set max_age above the min 86000 suggested in the article and to 86400 so it is consistent with the google guidance below. Also see google support answer (2. Create an MTA-STS policy - Google Workspace Admin Help) that says the max_age value must be between 86400 (1 day) and 31557600 (about 1 year).
ANSWER: Google will only process policies with a max_age higher than 86000 seconds. Policies with a max_age of 86000 or lower will be ignored and a daily no-policy-found report will be sent if TLS-RPT is enabled ."
In .wellknown/mta-sts.txt file set max_age >= 86400 so it is consistent with the google guidance.
Google's (Create an MTA-STS policy - Google Workspace Admin Help) states that the max_age value must be between 86400 (1 day) and 31557600 (about 1 year).
In my testing over the past few weeks, Google reported "no policy found" when the max_age is lower than that range and when max_age is at least 86400, correctly found the policy.