Email Authentication

MTA-STS — SMTP Strict Transport Security

Enforces encrypted TLS delivery for incoming emails to the domain.

What is MTA-STS

MTA-STS is a newer standard (RFC 8461, 2018) that enforces encrypted TLS delivery for emails arriving at your domain. Without MTA-STS, an attacker with access to the network path can perform a downgrade attack and force sending servers to deliver emails in plaintext.

How it works

MTA-STS combines two things: a DNS TXT signal that says "I have a policy" and a policy file served over HTTPS.

  1. You publish a TXT record at _mta-sts.example.com containing a version & id.
  2. You host a policy file at https://mta-sts.example.com/.well-known/mta-sts.txt.
  3. Sending servers fetch the policy over HTTPS (trustworthy via SSL/TLS).
  4. They are required to use TLS and to verify the certificate of your mail servers.

Example

DNS TXT record:

_mta-sts.example.com.  IN  TXT  "v=STSv1; id=20250115T130000Z;"

Policy file (https://mta-sts.example.com/.well-known/mta-sts.txt):

version: STSv1
mode: enforce
mx: mail.example.com
mx: *.mail.example.com
max_age: 604800

Modes

  • none — the policy is inactive, equivalent to not publishing one
  • testing — sending servers report failures but deliver normally (good for roll-out)
  • enforce — TLS is mandatory; otherwise the email is blocked

Combining with TLS-RPT

MTA-STS works together with TLS-RPT so that you receive reports whenever a server fails to deliver email to you due to a TLS issue. This way you know immediately if something broke in the certificate or the handshake.

Currently supported by Google, Microsoft, Yahoo, Comcast, and other major providers. If you operate a domain that sends serious emails (transactional, financial), it is worth enabling.

Related terms

TLS-RPT — SMTP TLS Reporting DMARC — Domain-based Message Authentication
All terms