STARTTLS Validation Result Types

Created
2018-06-14
Last Updated
2018-09-28
Available Formats

XML

HTML

Plain text

Registry included below

STARTTLS Validation Result Types

Registration Procedure(s)
Expert Review
Expert(s)
Alexander Brotman, Daniel Margolis, Viktor Dukhovni
Reference
[RFC8460]
Available Formats

CSV
Result Type Description Reference
starttls-not-supported This indicates that the recipient MX did not support STARTTLS. [RFC8460]
certificate-host-mismatch This indicates that the certificate presented did not adhere to the constraints specified in the MTA-STS or DANE policy, e.g., if the MX hostname does not match any identities listed in the subject alternative name (SAN) [RFC5280]. [RFC8460]
certificate-expired This indicates that the certificate has expired. [RFC8460]
tlsa-invalid This indicates a validation error in the TLSA record associated with a DANE policy. None of the records in the RRset were found to be valid. [RFC8460]
dnssec-invalid This indicates that no valid records were returned from the recursive resolver. [RFC8460]
dane-required This indicates that the sending system is configured to require DANE TLSA records for all the MX hosts of the destination domain, but no DNSSEC-validated TLSA records were present for the MX host that is the subject of the report. Mandatory DANE for SMTP is described in Section 6 of [RFC7672]. Such policies may be created by mutual agreement between two organizations that frequently exchange sensitive content via email. [RFC8460]
certificate-not-trusted This is a label that covers multiple certificate-related failures that include, but are not limited to, errors such as untrusted/unknown certification authorities (CAs), certificate name constraints, certificate chain errors, etc. When using this declaration, the reporting MTA SHOULD utilize the "failure-reason-code" to provide more information to the receiving entity. [RFC8460]
sts-policy-invalid This indicates a validation error for the overall MTA-STS Policy. [RFC8460]
sts-webpki-invalid This indicates that the MTA-STS Policy could not be authenticated using PKIX validation. [RFC8460]
validation-failure This indicates a general failure for a reason not matching a category above. When using this declaration, the reporting MTA SHOULD utilize the "failure-reason-code" to provide more information to the receiving entity. [RFC8460]
sts-policy-fetch-error This indicates a failure to retrieve an MTA-STS policy, for example, because the policy host is unreachable. [RFC8460]