diff --git a/roles/mta_sts/defaults/main.yml b/roles/mta_sts/defaults/main.yml
index 4ec5575a8677bcfca826ed435c86a8cdd7e00e77..23f424313599968c084725558ebcf60149bb1821 100644
--- a/roles/mta_sts/defaults/main.yml
+++ b/roles/mta_sts/defaults/main.yml
@@ -1 +1,11 @@
-mta_sts_domain: mta-sts.archlinux.org
+mta_sts:
+  - mx:
+      - mail.archlinux.org
+    domains:
+      - archlinux.org
+      - aur.archlinux.org
+      - master-key.archlinux.org
+  - mx:
+      - luna.archlinux.org
+    domains:
+      - lists.archlinux.org
diff --git a/roles/mta_sts/tasks/main.yml b/roles/mta_sts/tasks/main.yml
index 26dca3eac9f44418d6bd6ced040f8357f628a738..e33b579f1dbce1f259dfe0cc97da172b3dc6c64e 100644
--- a/roles/mta_sts/tasks/main.yml
+++ b/roles/mta_sts/tasks/main.yml
@@ -1,9 +1,11 @@
 ---
 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mta_sts_domain }}' creates='/etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem'
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d mta-sts.{{ item.domains | join(' -d mta-sts.') }} creates='/etc/letsencrypt/live/{{ "mta-sts." + item.domains | first }}/fullchain.pem'
+  loop: "{{ mta_sts }}"
 
 - name: make nginx log dir
-  file: path=/var/log/nginx/{{ mta_sts_domain }} state=directory owner=root group=root mode=0755
+  file: path=/var/log/nginx/{{ "mta-sts." + item.domains | first }} state=directory owner=root group=root mode=0755
+  loop: "{{ mta_sts }}"
 
 - name: set up nginx
   template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644
diff --git a/roles/mta_sts/templates/nginx.d.conf.j2 b/roles/mta_sts/templates/nginx.d.conf.j2
index 894a56f53ec9053a7b476b1805e575b426663d19..5b9ff8fba8202eb19fe95a7351c239d823b28f6a 100644
--- a/roles/mta_sts/templates/nginx.d.conf.j2
+++ b/roles/mta_sts/templates/nginx.d.conf.j2
@@ -1,10 +1,12 @@
+{% for config in mta_sts %}
+{% set domain = "mta-sts." + config.domains | first %}
 server {
     listen       80;
     listen       [::]:80;
-    server_name  {{ mta_sts_domain }};
+    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};
 
-    access_log   /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
-    error_log    /var/log/nginx/{{ mta_sts_domain }}/error.log;
+    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ domain }}/error.log;
 
     include snippets/letsencrypt.conf;
 
@@ -17,18 +19,18 @@ server {
 server {
     listen       443 ssl http2;
     listen       [::]:443 ssl http2;
-    server_name  {{ mta_sts_domain }};
+    server_name  mta-sts.{{ config.domains | join(' mta-sts.') }};
 
-    access_log   /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
-    error_log    /var/log/nginx/{{ mta_sts_domain }}/error.log;
+    access_log   /var/log/nginx/{{ domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ domain }}/error.log;
 
-    ssl_certificate      /etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ mta_sts_domain }}/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/chain.pem;
+    ssl_certificate      /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
 
     location /.well-known/mta-sts.txt {
         default_type text/plain;
-        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: mail.archlinux.org\n';
+        return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: {{ config.mx | join('\\nmx: ')}}\n';
     }
 
     location / {
@@ -36,3 +38,4 @@ server {
         return 404;
     }
 }
+{% endfor %}
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 0fe5c1f0e767b7bc3167b638417f3965ecef6d73..b660a9b1df9b2819d33da323dea5efbca9ac2201 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -614,15 +614,19 @@ resource "hetznerdns_record" "archlinux_org_mail_aaaa" {
 }
 
 resource "hetznerdns_record" "archlinux_org_mtasts_cname" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "mta-sts"
+  name    = "mta-sts${each.value}"
   value   = "mail"
   type    = "CNAME"
 }
 
 resource "hetznerdns_record" "archlinux_org__mtasts_txt" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "_mta-sts"
+  name    = "_mta-sts${each.value}"
   ttl     = 600
   # date +%s
   value = "\"v=STSv1; id=1608210175\""
@@ -674,8 +678,10 @@ resource "hetznerdns_record" "archlinux_org_dmarc_txt" {
 }
 
 resource "hetznerdns_record" "archlinux_org_smtp_tlsrpt_txt" {
+  for_each = toset(["", ".aur", ".master-key", ".lists"])
+
   zone_id = hetznerdns_zone.archlinux.id
-  name    = "_smtp._tls"
+  name    = "_smtp._tls${each.value}"
   value   = "\"v=TLSRPTv1;rua=mailto:postmaster@archlinux.org\""
   type    = "TXT"
 }