MTA-STS, or Mail Transfer Agent Strict Transport Security, is an email security standard that enforces encrypted connections for email transmission between mail servers. It ensures that messages are delivered over TLS and prevents downgrade attacks where an attacker attempts to force a connection to fall back to an unencrypted state. By implementing MTA-STS, domain owners can specify that receiving servers must only accept mail over secure channels and validate the identity of the destination server.
MTA-STS works by combining DNS and HTTPS. A DNS TXT record signals that the domain has an MTA-STS policy, while the actual policy is hosted on a secure HTTPS endpoint. Sending servers retrieve and cache this policy, then enforce TLS requirements when delivering email to that domain. If a secure connection cannot be established or validated, the message is not delivered depending on the configured policy mode.
This mechanism strengthens email transport security and reduces the risk of interception or manipulation during transmission between mail servers.
Advanced
MTA-STS policies define how strictly TLS enforcement is applied. The three modes include none, testing, and enforce. In enforce mode, sending servers must validate the TLS certificate and ensure the connection matches the policy before delivering the message. Testing mode allows monitoring without strict enforcement, enabling gradual rollout.
The policy file includes parameters such as version, mode, mx, and max_age. The mx field defines the authorised mail servers, while max_age determines how long sending servers cache the policy. Proper certificate management is critical, as expired or mismatched certificates can block email delivery under strict enforcement.
MTA-STS complements other protocols such as DANE but does not require DNSSEC. It is widely supported by major providers and is particularly relevant for organisations handling sensitive communications. Deployment requires coordination across DNS, web hosting for the policy file, and mail server configuration.
Relevance
- Enforces encrypted email transmission using TLS
- Protects against downgrade and interception attacks
- Strengthens overall email security posture
- Supports compliance for sensitive communications
Applications
- Securing email delivery between organisational mail servers
- Enforcing TLS for inbound email infrastructure
- Protecting business communications from interception
- Supporting regulatory and security requirements
Metrics
- TLS enforcement success rate in mail logs
- Percentage of encrypted email delivery
- Policy retrieval and validation success rates
- Delivery failures related to TLS enforcement
Issues
- Misconfigured policy blocking legitimate email delivery
- Expired or invalid TLS certificates causing rejection
- Incorrect MX definitions in policy leading to failures
- Lack of monitoring during rollout increasing risk
Example
A company publishes an MTA-STS policy in enforce mode and hosts it on a secure HTTPS endpoint. When external mail servers attempt to deliver email, they retrieve the policy and ensure the connection is encrypted and matches the defined MX servers. If a secure connection cannot be established, the message is not delivered, preventing potential interception.