emailr_
All articles
explainer·7 min

MTA-STS explained: Strict transport security for email

securitymta-ststls

Summary

MTA-STS forces email servers to use encrypted connections when delivering mail to your domain. Without it, attackers can downgrade connections to plaintext and read everything in transit.

In 2015, researchers demonstrated something that should have terrified every company handling sensitive email: they could intercept emails between major corporations by exploiting a fundamental weakness in how email servers negotiate encryption. The attack was elegant in its simplicity. When two mail servers connect, they attempt to upgrade to an encrypted connection using STARTTLS. But if an attacker sits between them, they can simply strip out the encryption offer, forcing both servers to communicate in plaintext.

The servers don't complain. They don't alert anyone. They just shrug and send your confidential contracts, medical records, and financial statements across the internet in clear text, readable by anyone watching.

MTA-STS—Mail Transfer Agent Strict Transport Security—exists to prevent exactly this scenario.

The STARTTLS problem

To understand why MTA-STS matters, you need to understand how email encryption typically works—and why it's surprisingly fragile.

When your mail server wants to deliver an email to another domain, it connects to the recipient's mail server on port 25. This initial connection is unencrypted. The servers then negotiate: "Hey, do you support encryption?" If both sides agree, they upgrade to TLS and proceed securely.

This is called opportunistic encryption, and it has a fatal flaw. The negotiation happens over an unencrypted channel. An attacker performing a man-in-the-middle attack can intercept the "I support TLS" message and replace it with "I don't support TLS." Both servers think the other can't do encryption, so they proceed in plaintext.

This isn't theoretical. Security researchers have documented ISPs and nation-states actively performing these downgrade attacks. In some countries, it's routine. Your email might be encrypted when it leaves your server and encrypted when it arrives at the destination, but somewhere in the middle, someone read every word.

How MTA-STS fixes this

MTA-STS takes a simple approach: it lets domain owners publish a policy saying "always require TLS when delivering mail to us, and here's exactly which servers you should connect to."

The policy is published in two places. First, a DNS record announces that the domain uses MTA-STS. Second, a policy file hosted over HTTPS specifies the exact requirements. The HTTPS part is crucial—it means the policy itself is delivered over an encrypted, authenticated channel that can't be tampered with.

When a sending mail server wants to deliver to an MTA-STS-enabled domain, it first checks for the DNS record. If present, it fetches the policy file over HTTPS. The policy tells it: require TLS version 1.2 or higher, verify the certificate matches these patterns, and only connect to these specific mail servers.

If any of these requirements can't be met—if the connection can't be encrypted, if the certificate is invalid, if the server name doesn't match—the sending server refuses to deliver the email. It doesn't fall back to plaintext. It fails loudly.

Setting up MTA-STS

Implementing MTA-STS requires three components: a DNS record, a policy file, and a web server to host that policy.

The DNS record is a TXT record at _mta-sts.yourdomain.com. It looks like this: "v=STSv1; id=20240115". The 'id' field is a version identifier—you change it whenever you update your policy, which tells sending servers to fetch the new version.

The policy file lives at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Note the subdomain—you need a valid HTTPS certificate for mta-sts.yourdomain.com. The file contains your policy in a simple text format.

A typical policy specifies the version, the mode (testing or enforce), the maximum age in seconds that senders should cache the policy, and the MX hostnames that are valid for your domain. The max_age is important—longer values mean better protection against attacks but slower recovery if you need to change something.

Testing vs enforcing mode

MTA-STS supports two modes, and the difference matters enormously.

In testing mode, sending servers fetch and evaluate your policy, but they don't actually enforce it. If a connection would fail the policy, they deliver the email anyway—but they send a report telling you what happened. This lets you identify problems before they cause delivery failures.

In enforce mode, the policy is mandatory. Connections that don't meet the requirements fail, and the email doesn't get delivered. This is real protection, but it's also real risk if your policy is wrong.

The smart approach is to start in testing mode with a short max_age. Monitor the reports for a few weeks. Look for legitimate mail servers that can't meet your requirements—maybe an old partner system with an outdated TLS implementation, or a misconfigured backup MX. Fix those issues, then switch to enforce mode with a longer max_age.

The reporting side: TLSRPT

MTA-STS works hand-in-hand with TLSRPT—TLS Reporting. This is a separate DNS record that tells sending servers where to send reports about TLS connection attempts.

The reports include successes and failures: which servers connected, what TLS version they used, whether certificate validation passed, and if anything failed, why. This visibility is invaluable. Without it, you're flying blind—you won't know if attackers are attempting downgrades, or if legitimate senders are having problems.

Setting up TLSRPT is simple: add a TXT record at _smtp._tls.yourdomain.com specifying where to send reports. You can receive them via email or HTTPS POST. Several services will aggregate and visualize these reports for you, making it much easier to spot patterns.

Common implementation mistakes

The most frequent MTA-STS mistake is certificate problems. Your mta-sts subdomain needs a valid certificate, and your mail servers need valid certificates with hostnames that match your policy. Let's Encrypt makes this easy, but you need to remember to include the mta-sts subdomain in your certificate renewal process.

Another common issue is MX record mismatches. Your MTA-STS policy lists specific hostnames, and your MX records need to match exactly. If your MX points to mail.example.com but your policy lists mx1.example.com, connections will fail in enforce mode.

Forgetting to update the policy ID trips people up too. When you change your policy file, you must also update the ID in your DNS record. Sending servers cache policies based on the ID—if you don't change it, they won't fetch your updates.

Finally, setting max_age too high too early is risky. If you publish a policy with a one-year max_age and then discover a problem, sending servers will enforce the broken policy for up to a year. Start with hours or days, not months.

MTA-STS vs DANE

You might have heard of DANE (DNS-based Authentication of Named Entities) as another solution to the same problem. Both prevent TLS downgrade attacks, but they work differently.

DANE uses DNSSEC to authenticate TLS certificates. It's arguably more elegant—everything lives in DNS, no web server needed. But DNSSEC adoption remains limited, and many DNS providers don't support it well. MTA-STS was designed as a more deployable alternative that works with existing infrastructure.

In practice, MTA-STS has seen much wider adoption. Google, Microsoft, and most major email providers support it. If you're choosing between them, MTA-STS is the pragmatic choice. If you're security-focused and already have DNSSEC, implementing both provides defense in depth.

Is it worth the effort?

MTA-STS requires more setup than a simple DNS record. You need to host a policy file, maintain certificates, monitor reports. Is it worth it?

If you handle sensitive email—financial services, healthcare, legal, or any business where email interception would be catastrophic—yes, absolutely. The attack it prevents is real and actively exploited. The setup cost is a few hours; the protection is ongoing.

For smaller organizations with less sensitive email, it's a judgment call. The good news is that as more domains adopt MTA-STS, the ecosystem becomes safer for everyone. Attackers can't selectively downgrade connections when most of the internet refuses to accept downgrades.

Frequently asked questions

Does MTA-STS protect email content end-to-end?

No. MTA-STS protects email in transit between mail servers, but the email is decrypted at each server. For true end-to-end encryption, you need S/MIME or PGP. MTA-STS and end-to-end encryption solve different problems and can be used together.

What happens if my MTA-STS policy file is unavailable?

If senders can't fetch your policy over HTTPS, they fall back to opportunistic encryption—the same as if you had no MTA-STS at all. This is why hosting reliability matters. Consider using a CDN or redundant hosting for the policy file.

Do all email providers support MTA-STS?

Most major providers do, including Gmail, Outlook, Yahoo, and others. However, some smaller or older mail servers don't. Check TLSRPT reports to see which senders are evaluating your policy.

Can MTA-STS cause email delivery failures?

In enforce mode, yes—that's the point. If a sending server can't establish a secure connection meeting your policy requirements, the email won't be delivered. This is why testing mode and monitoring are essential before enforcing.

e_

Written by the emailr team

Building email infrastructure for developers

Continue reading

explainer

What causes emails to go to spam?

10 minexplainer

What is SPF? Complete guide for developers

8 minexplainer

What is email spoofing and how to prevent it

8 min

Ready to start sending?

Get your API key and send your first email in under 5 minutes. No credit card required.

Get started for freeTalk to sales