What Is MTA-STS (Mail Transfer Agent Strict Transport Security)?

Q: What problem does MTA-STS solve?

MTA-STS prevents TLS downgrade attacks and man-in-the-middle attacks on email in transit. Without MTA-STS, SMTP servers using STARTTLS are vulnerable to attackers stripping the encryption during the initial handshake, causing email to be sent in plain text. MTA-STS tells sending servers to refuse delivery if a secure TLS connection cannot be established.

Q: How do I set up MTA-STS?

Setting up MTA-STS requires two things: (1) a DNS TXT record at _mta-sts.yourdomain.com with a version and unique ID, and (2) a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt that specifies the mode (enforce, testing, or none), the allowed MX hosts, and a max age.

Q: What is the difference between MTA-STS and DANE?

Both MTA-STS and DANE enforce encrypted email transport, but they work differently. DANE uses DNSSEC and TLSA records to pin certificates in DNS, while MTA-STS uses HTTPS to host a policy file. MTA-STS is easier to deploy since it does not require DNSSEC, making it more practical for most organizations.

MTA-STS is a security standard that enables domain owners to enforce TLS encryption for inbound email, preventing downgrade attacks and ensuring email is always transmitted securely.

How MTA-STS Works

MTA-STS works by publishing a policy that tells sending SMTP servers to only deliver email over a secure TLS connection. The policy consists of two parts: a TXT record at _mta-sts.yourdomain.com and a policy file hosted via HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

When a sending server wants to deliver email to your domain, it checks for the MTA-STS DNS record. If present, it fetches the policy file over HTTPS and caches it. In enforce mode, the sending server will refuse to deliver email if it cannot establish a valid TLS connection to the specified MX hosts.

Why MTA-STS Matters

STARTTLS encryption in SMTP is opportunistic — if an attacker strips the STARTTLS command during the initial handshake, the connection falls back to plain text. MTA-STS eliminates this vulnerability by telling senders that your domain requires TLS. This is critical for organizations handling sensitive data or operating in regulated industries.

Frequently Asked Questions

What problem does MTA-STS solve?

MTA-STS prevents TLS downgrade attacks where an attacker strips encryption during the SMTP handshake. It ensures email is always delivered over a secure connection or not at all.

How do I set up MTA-STS?

You need a DNS TXT record at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The policy specifies mode (enforce, testing, or none), allowed MX hosts, and a max age.

What is the difference between MTA-STS and DANE?

Both enforce encrypted email transport, but DANE uses DNSSEC and TLSA records while MTA-STS uses HTTPS to host a policy file. MTA-STS is easier to deploy since it does not require DNSSEC.

How MTA-STS Works

Why MTA-STS Matters

Frequently Asked Questions

What problem does MTA-STS solve?

MTA-STS prevents TLS downgrade attacks where an attacker strips encryption during the SMTP handshake. It ensures email is always delivered over a secure connection or not at all.

How do I set up MTA-STS?

What is the difference between MTA-STS and DANE?

Both enforce encrypted email transport, but DANE uses DNSSEC and TLSA records while MTA-STS uses HTTPS to host a policy file. MTA-STS is easier to deploy since it does not require DNSSEC.