MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard that helps ensure that emails are always transmitted between servers encrypted and in a secure way.
Typically, email servers use STARTTLS to encrypt connections, but by default it works only when possible. This means that if an encrypted connection cannot be established, to ensure delivery, the message may still be sent unencrypted.
MTA-STS allows a domain owner to publicly specify that connections to their email servers must only be made over a trusted TLS connection. If a secure connection cannot be established, the sending server must not deliver the message.
What is MTA-STS for?
MTA-STS makes the use of encrypted and trusted (TLS) connections mandatory for sending mail servers, provided that the sending server supports MTA-STS.
Without MTA-STS, a potential attacker can force the connection between mail servers back to plaintext or to an untrusted connection. Certificate validity is not verified, and TLS is optional.
MTA-STS helps prevent such situations because:
- a TLS connection is established between email servers
- the server certificate must be valid
- if a secure connection cannot be established, the message is not delivered
How does MTA-STS work?
MTA-STS uses two main components:
- DNS record – informs other servers that the domain uses an MTA-STS policy.
- Policy file over HTTPS – contains information about which servers are allowed to receive email for the domain and what security requirements apply.
MTA-STS complements other email security protocols
While SPF, DKIM, and DMARC protect the sender’s identity and prevent spoofing, MTA-STS protects the transport of messages between servers. MTA-STS does not replace SPF, DKIM, or DMARC, but rather complements them.
How to enable MTA-STS?
To enable MTA-STS, please contact our customer support.