TLS Reporting - sts-policy-invalid failure type for comcast

I am in testing policy mode for MTA STS and the TLS report in dmarcian shows Failure Type sts-policy-invalid for a comcast sender.

The dmarcian TLS Inspector tool verifies that setup is 100%. TLS Record is valid, MTA STS record is valid and STS policy is valid.

What does failure type sts-policy-invalid mean?
Where can I see more info about the specific event… more than is displayed when I drill into the single event record showing Sending MTA IP? In this case, Receiving IP and Failure Code are blank.

Where is there a list of Failure Types and Failure Codes to reference?

Hi washington and welcome to the forums.

Currently the best location to review these errors are in the respective RFC documents.

TLS-Reporting: rfc8460
MTA-STS: rfc8461

The technology is still early in its adoption, but as it matures, dmarcian plans on expending the functionality to help when encountering such errors.

For now, the error you see is called an overall validation error. There are 2 main reasons why this could occur. Assuming a non expired policy, a sender check whether the policy contains a matching MX to the one they are sending to, and that the receiving server supports STARTTLS with a certificate that authenticates the host. If either fail, it is considered a policy validation failure.

These are significant errors however, so if you are leveraging an enforced policy mode, more than a single comcast sender would have been affected. If the issue persists reported by all supporting senders, the above would be where I would begin to investigate.

I hope this helps.

yes, that helped a lot. Very insightful. thank you.