One of the requirements of MTA-STS is to host the policy on an HTTPS secured, publicly accessible server. When you use our hosted Dynamic MTA-STS feature, we automatically do this for you via Amazon Cloudfront. We also request an SSL certificate for you via ACM.
However, because we issue certificates on your behalf, if you have a CAA record on your domain, you will need to allow Amazon's CA to issue certificates on your behalf when you use Dynamic MTA-STS.
To allow ACM to issue the certificate on your behalf, please add the following issuer to your CAA record. Instructions will vary per provider, but you can use one of your existing fields as reference.
0 issue "amazon.com"
For more information, please refer to this article.
If you have any questions, please don't hesitate to reach out to our team.