diff --git a/conf/mta-sts.txt b/conf/mta-sts.txt
new file mode 100644
index 00000000..d2c06e85
--- /dev/null
+++ b/conf/mta-sts.txt
@@ -0,0 +1,4 @@
+version: STSv1
+mode: testing
+mx: PRIMARY_HOSTNAME
+max_age: 86400
\ No newline at end of file
diff --git a/conf/nginx-alldomains.conf b/conf/nginx-alldomains.conf
index 1b3ad5a9..4c81e3f3 100644
--- a/conf/nginx-alldomains.conf
+++ b/conf/nginx-alldomains.conf
@@ -21,6 +21,9 @@
 	location = /mail/config-v1.1.xml {
 		alias /var/lib/mailinabox/mozilla-autoconfig.xml;
 	}
+	location = /.well-known/mta-sts.txt {
+		alias /var/lib/mailinabox/mta-sts.txt;
+	}
 
 	# Roundcube Webmail configuration.
 	rewrite ^/mail$ /mail/ redirect;
diff --git a/management/dns_update.py b/management/dns_update.py
index 7d053d5e..bd7e8fdf 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -303,6 +303,22 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		if not has_rec(qname, rtype):
 			records.append((qname, rtype, value, explanation))
 
+	# Adds autoconfiguration A records for all domains.
+	# This allows the following clients to automatically configure email addresses in the respective applications.
+	# autodiscover.* - Z-Push ActiveSync Autodiscover
+	# autoconfig.* - Thunderbird Autoconfig
+	mta_sts_records = [
+		("mta-sts", "A", env["PUBLIC_IP"], "Provides mta-sts support"),
+		("mta-sts", "AAAA", env["PUBLIC_IPV6"], "Provides mta-sts support"),
+		("_mta-sts", "TXT", "v=STSv1; id=202022022043", "Provides mta-sts support"),
+		("_smtp._tls", "TXT", "v=TLSRPTv1;", "extend with rua=mailto:email@addres for reporting")
+
+	]
+	for qname, rtype, value, explanation in mta_sts_records:
+		if value is None or value.strip() == "": continue # skip IPV6 if not set
+		if not has_rec(qname, rtype):
+			records.append((qname, rtype, value, explanation))
+
 	# Sort the records. The None records *must* go first in the nsd zone file. Otherwise it doesn't matter.
 	records.sort(key = lambda rec : list(reversed(rec[0].split(".")) if rec[0] is not None else ""))
 
diff --git a/management/web_update.py b/management/web_update.py
index 72295c21..9a119d33 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -27,8 +27,10 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True)
 	# Add Autoconfiguration domains, allowing us to serve correct SSL certs.
 	# 'autoconfig.' for Mozilla Thunderbird auto setup.
 	# 'autodiscover.' for Activesync autodiscovery.
+	# 'mta-sts.' for MTA-STS support.
 	domains |= set('autoconfig.' + maildomain for maildomain in get_mail_domains(env))
 	domains |= set('autodiscover.' + maildomain for maildomain in get_mail_domains(env))
+	domains |= set('mta-sts.' + maildomain for maildomain in get_mail_domains(env))
 
 	if exclude_dns_elsewhere:
 		# ...Unless the domain has an A/AAAA record that maps it to a different
diff --git a/setup/web.sh b/setup/web.sh
index e6aac6ef..9824f2e0 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -122,6 +122,16 @@ cat conf/mozilla-autoconfig.xml \
 	 > /var/lib/mailinabox/mozilla-autoconfig.xml
 chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml
 
+# Create a generic mta-sts.txt file which is exposed via the
+# nginx configuration at /.well-known/mta-sts.txt
+# more documentation is available on: 
+# https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04
+
+cat conf/mta-sts.txt \
+        | sed "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" \
+         > /var/lib/mailinabox/mta-sts.txt
+chmod a+r /var/lib/mailinabox/mta-sts.txt
+
 # make a default homepage
 if [ -d $STORAGE_ROOT/www/static ]; then mv $STORAGE_ROOT/www/static $STORAGE_ROOT/www/default; fi # migration #NODOC
 mkdir -p $STORAGE_ROOT/www/default