STARTTLS Validation Result Types
- Created
- 2018-06-14
- Last Updated
- 2018-09-28
- Available Formats
-
XML
HTML
Plain text
Registry included below
STARTTLS Validation Result Types
- Registration Procedure(s)
-
Expert Review
- Expert(s)
-
Alexander Brotman, Daniel Margolis, Viktor Dukhovni
- Reference
- [RFC8460]
- Available Formats
-
CSV
| Result Type | Description | Reference |
|---|---|---|
| starttls-not-supported | This indicates that the recipient MX did not support STARTTLS. | [RFC8460] |
| certificate-host-mismatch | This indicates that the certificate presented did not adhere to the constraints specified in the MTA-STS or DANE policy, e.g., if the MX hostname does not match any identities listed in the subject alternative name (SAN) [RFC5280]. | [RFC8460] |
| certificate-expired | This indicates that the certificate has expired. | [RFC8460] |
| tlsa-invalid | This indicates a validation error in the TLSA record associated with a DANE policy. None of the records in the RRset were found to be valid. | [RFC8460] |
| dnssec-invalid | This indicates that no valid records were returned from the recursive resolver. | [RFC8460] |
| dane-required | This indicates that the sending system is configured to require DANE TLSA records for all the MX hosts of the destination domain, but no DNSSEC-validated TLSA records were present for the MX host that is the subject of the report. Mandatory DANE for SMTP is described in Section 6 of [RFC7672]. Such policies may be created by mutual agreement between two organizations that frequently exchange sensitive content via email. | [RFC8460] |
| certificate-not-trusted | This is a label that covers multiple certificate-related failures that include, but are not limited to, errors such as untrusted/unknown certification authorities (CAs), certificate name constraints, certificate chain errors, etc. When using this declaration, the reporting MTA SHOULD utilize the "failure-reason-code" to provide more information to the receiving entity. | [RFC8460] |
| sts-policy-invalid | This indicates a validation error for the overall MTA-STS Policy. | [RFC8460] |
| sts-webpki-invalid | This indicates that the MTA-STS Policy could not be authenticated using PKIX validation. | [RFC8460] |
| validation-failure | This indicates a general failure for a reason not matching a category above. When using this declaration, the reporting MTA SHOULD utilize the "failure-reason-code" to provide more information to the receiving entity. | [RFC8460] |
| sts-policy-fetch-error | This indicates a failure to retrieve an MTA-STS policy, for example, because the policy host is unreachable. | [RFC8460] |