2018-06-14 2018-09-28 Expert Review Alexander Brotman, Daniel Margolis, Viktor Dukhovni starttls-not-supported This indicates that the recipient MX did not support STARTTLS. certificate-host-mismatch This indicates that the certificate presented did not adhere to the constraints specified in the MTA-STS or DANE policy, e.g., if the MX hostname does not match any identities listed in the subject alternative name (SAN) . certificate-expired This indicates that the certificate has expired. tlsa-invalid This indicates a validation error in the TLSA record associated with a DANE policy. None of the records in the RRset were found to be valid. dnssec-invalid This indicates that no valid records were returned from the recursive resolver. dane-required This indicates that the sending system is configured to require DANE TLSA records for all the MX hosts of the destination domain, but no DNSSEC-validated TLSA records were present for the MX host that is the subject of the report. Mandatory DANE for SMTP is described in Section 6 of . Such policies may be created by mutual agreement between two organizations that frequently exchange sensitive content via email. certificate-not-trusted This is a label that covers multiple certificate-related failures that include, but are not limited to, errors such as untrusted/unknown certification authorities (CAs), certificate name constraints, certificate chain errors, etc. When using this declaration, the reporting MTA SHOULD utilize the "failure-reason-code" to provide more information to the receiving entity. sts-policy-invalid This indicates a validation error for the overall MTA-STS Policy. sts-webpki-invalid This indicates that the MTA-STS Policy could not be authenticated using PKIX validation. validation-failure This indicates a general failure for a reason not matching a category above. When using this declaration, the reporting MTA SHOULD utilize the "failure-reason-code" to provide more information to the receiving entity. sts-policy-fetch-error This indicates a failure to retrieve an MTA-STS policy, for example, because the policy host is unreachable.