diff --git a/infra/mta-sts/README.md b/infra/mta-sts/README.md
new file mode 100644
index 0000000..6b1d335
--- /dev/null
+++ b/infra/mta-sts/README.md
@@ -0,0 +1,15 @@
+# MTA-STS for performancewest.net
+
+DNS TXT `_mta-sts.performancewest.net` = `v=STSv1; id=20260505` (already published).
+TLS-RPT TXT `_smtp._tls.performancewest.net` published.
+Added A record `mta-sts.performancewest.net -> 207.174.124.71` (Hestia).
+
+Policy served at `https://mta-sts.performancewest.net/.well-known/mta-sts.txt`
+from `/var/www/mta-sts/.well-known/mta-sts.txt` (content = mta-sts.txt here).
+
+PENDING: Let's Encrypt cert for mta-sts.performancewest.net (waiting on HE.net
+secondary DNS propagation). Once `dig +short mta-sts.performancewest.net @8.8.8.8`
+resolves, run:
+  sudo certbot certonly --webroot -w /var/www/certbot -d mta-sts.performancewest.net --non-interactive --agree-tos -m admin@performancewest.net
+then upgrade pw-mta-sts.conf to an HTTPS (443) server block (see pw-listmonk-hc.conf
+pattern) and reload nginx. MTA-STS requires the policy be served over valid HTTPS.
diff --git a/infra/mta-sts/mta-sts.txt b/infra/mta-sts/mta-sts.txt
new file mode 100644
index 0000000..d3ad1c8
--- /dev/null
+++ b/infra/mta-sts/mta-sts.txt
@@ -0,0 +1,4 @@
+version: STSv1
+mode: enforce
+mx: co.carrierone.com
+max_age: 604800
diff --git a/infra/mta-sts/pw-mta-sts.conf b/infra/mta-sts/pw-mta-sts.conf
new file mode 100644
index 0000000..750108a
--- /dev/null
+++ b/infra/mta-sts/pw-mta-sts.conf
@@ -0,0 +1,7 @@
+server {
+    listen 80;
+    server_name mta-sts.performancewest.net;
+    location /.well-known/acme-challenge/ { root /var/www/certbot; }
+    location /.well-known/mta-sts.txt { root /var/www/mta-sts; default_type text/plain; }
+    location / { return 404; }
+}