A whopping 94% of organizations report facing incidents related to email security. While emails are still the backbone of today’s digital world, they are also vulnerable to sophisticated cyber threats. This is why it is essential to set up an effective email infrastructure consisting of various security protocols to counter these threats. You might have already heard about SMTP, DMARC, and DKIM. MTA-STS is another email security protocol that is designed to prevent issues such as man-in-the-middle (MITM) attacks and address longstanding vulnerabilities in email transmission.
This guide will help you understand what MTA-STS, is, its key benefits, how it works, and how you can set it up for your domain.
What is MTA-STS?
MTA-STS (Mail Transfer Agent - Strict Transport Security) is a security protocol that ensures that emails are sent over an encrypted SMTP connection. This is done by enforcing the use of transport layer security (TLS) by email servers. Therefore, MTA-STS prevents unauthorized access to your emails which is a common threat for unsecured SMTP networks.
MTA-STS was developed to ensure that TLS was always used. Earlier, TLS attempted to encrypt the email only if both the sending and receiving servers supported it. If either of these servers did not support TLS, the email would be sent as a plain text file, making it vulnerable to potential attacks. With MTA-STS, servers can refuse to deliver the message to non-compliant servers, resulting in the email being bounced.
Advantages of MTA-STS
Implementing an MTA-STS policy offers some crucial benefits for your domain. Take a look at the following key benefits it offers.
- Secure transmission: MTA-STS ensures that your emails are encrypted while being sent. If the encryption cannot happen due to the lack of compliance on the receiving server, the email bounces without being intercepted.
- Protection against downgrade attacks: A downgrade attack is a cyber attack that forces a system to adopt a weaker security protocol, which can increase the vulnerability of your server. MTA-STS ensures that only strong, encrypted connections are used.
- Smooth operation: After the initial set-up process, MTA-STS operates automatically and requires minimal maintenance while providing a strong layer of security for all your inbound emails.
- Reliable communication: Since MTA-STS requires mandatory TLS certificates, it ensures that you are only communicating with legitimate sources. This reduces your vulnerability to phishing and spoofing attacks.
Key components of MTA-STS policy
Before we understand how MTA-STS actually works, let’s learn more about the policy. Here is an example of an MTA-STS file, which is a TXT file.
version: STSv1
mode: enforce
max_age: 604800
mx: mail1.example.com
mx: mail2.example.com
mx: *.backup-mx.example.com
You can see the following key components in the above example.
- Version: This field specifies the version of MTA-STS that is being used, such as “STSv1”.
- Mode: This field indicates how the policy should be applied. There are three possible modes:
- None: The policy is published but not enforced.
- Testing: The policy is checked but not enforced. If there are TLS failures in this mode, they are reported, but emails will still get delivered.
- Enforce: The policy is strictly applied.
- Max_age: This field specifies how long the policy should be cached by sending mail server. This is usually indicated in seconds. Typically, this is set between one day (86400 seconds) and two weeks (1209600 seconds).
- MX: This field lists the recipient’s mail exchange servers that support MTA-STS. Multiple MX fields can be specified in the policy and each MX entry should be its own line in the policy file.
How does MTA-STS work?
MTA-STS operates through the following key steps when a sender initiates the process of sending an email:
1. Policy discovery
The sending MTA performs a DNS lookup, i.e., it checks the receiving domain’s DNS records to check if the domain has an MTA-STS policy. The policy is published as a TXT record in the domain's DNS zone under the name _mta-sts.<domain>. This TXT record contains a pointer to the HTTPS location where the actual MTA-STS policy is hosted.
2. Policy retrieval
The sending MTA retrieves the policy file from the specified HTTPS endpoint. The policy file is then parsed by the sending server to check the requirements outlined by the policy.
3. TLS enforcement
This is the step where the rules in the MTA-STS policy are enforced, given that the policy is in the “enforce” mode. The following aspects are verified in this step for the email to be delivered successfully:
- Ensuring that the connection is encrypted with TLS
- Validating the receiving server’s TLS certificate against policy requirements
- Confirming that the receiving server is on the approved MX host list
If any of these criteria are not met, then the email will not be delivered, and the sender will be notified that it has bounced.
4. Policy validation
The MTA periodically checks if the MTA-STS policy is up-to-date. If the max_age period of the policy has expired, the sending server re-fetches the policy to ensure it has the latest version. The process also happens with each new email domain that the sending server interacts with. This helps maintain ongoing security and adapt to any changes in the recipient domain's security posture.
How to set up MTA-STS for your domain
MTA-STS can be set up on any web server that supports HTTPS and meets the following criteria:
- The server uses a TLS connection for transmitting emails
- It uses a TLS version 1.2 or higher
- It has valid TLS certificates that match the domain name used by the server in your MX records
If you do not meet these requirements, it can lead to MTA-STS failures and emails getting bounced.
You can set up MTA-STS for your domain through the following key steps.
Step 1: Create the MTA-STS policy file
This step involves drafting your MTA-STS policy. Here, you create a text file with all the key components required for the policy.
Step 2: Publish the policy via DNS
You must then add the necessary DNS TXT record so that sending MTAs can discover and retrieve your policy.
Step 3: Test the policy
You can use online MTA-STS validators or send test emails to ensure that the policy is functioning correctly. Before starting the testing, make sure to set the mode to “testing” so that your email delivery is not affected during the testing phase.
Step 4: Monitor and update the policy
Once you have ensured that your policy works correctly, you can switch to the “enforce” mode. You must then regularly review and update your policy as needed, especially if you are facing delivery issues. At this stage, you may also set up TLS reporting if you wish to receive reports about policy failures.
If you are using Google Workspace to set up MTA-STS, you can check out this detailed walkthrough.
Conclusion
As the adoption of MTA-STS grows, it promises to make email communication more secure and resistant to common attacks. However, it must be noted that MTA-STS is only a part of the larger email security puzzle. Other email security protocols such as DKIM, SPF, and DMARC are also vital to ensure a safer email ecosystem for everyone.
Overall, MTA-STS is a worthwhile investment for any organization prioritizing email security. You can also check out our detailed guide about email security to get a better understanding on how to better secure your email communications.
.
