What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security protocol defined in RFC 8461. It allows domain owners to declare that their mail servers support TLS encryption and instruct sending servers to refuse to deliver email over unencrypted connections.
Without MTA-STS, even if your mail server supports TLS, a man-in-the-middle attacker could strip the TLS encryption during the SMTP handshake (a "downgrade attack"), causing email to be sent in plain text. MTA-STS prevents this by requiring sending servers to verify TLS before delivery.
How MTA-STS Works
- The domain owner publishes a TXT record at
_mta-sts.example.comwith valuev=STSv1; id=20240101. - A policy file is hosted at
https://mta-sts.example.com/.well-known/mta-sts.txt. - The policy file specifies the mode (enforce/testing/none), authorized MX hosts, and cache duration (max_age).
- When a sending server wants to deliver email, it checks for the MTA-STS DNS record, fetches the policy, and follows its rules.
- In enforce mode, the sending server will reject delivery if it cannot establish a valid TLS connection to an authorized MX host.
MTA-STS Policy Modes
| Mode | Behaviour |
|---|---|
| enforce | Reject delivery if TLS connection fails. Full protection. |
| testing | Report failures via TLS-RPT but still deliver. For initial rollout. |
| none | Policy disabled. Used for decommissioning. |
TLS-RPT: Companion Reporting
MTA-STS is complemented by TLS-RPT (TLS Reporting, RFC 8460). By adding a TXT record at _smtp._tls.example.com, domain owners can receive daily reports about TLS connection successes and failures. This helps identify misconfigurations and potential attacks.
Example Policy File
version: STSv1
mode: enforce
mx: mail.example.com
mx: backup.example.com
max_age: 604800
Check your MTA-STS configuration with Mailchk's free MTA-STS Checker tool — verify DNS records, policy files, and TLS-RPT reporting.