What Is MTA-STS? How It Works & How to Set Up

Anjali Nair
ByAnjali Nair

6 mins read

A whopping 94% of organizations report facing incidents related to email security. While emails are still the backbone of today’s digital world, they are also vulnerable to sophisticated cyber threats. This is why it is essential to set up an effective email infrastructure consisting of various security protocols to counter these threats. You might have already heard about SMTP, DMARC, and DKIM. MTA-STS is another email security protocol that is designed to prevent issues such as man-in-the-middle (MITM) attacks and address longstanding vulnerabilities in email transmission.

This guide will help you understand what MTA-STS, is, its key benefits, how it works, and how you can set it up for your domain.

What is MTA-STS?

MTA-STS (Mail Transfer Agent - Strict Transport Security) is a security protocol that ensures that emails are sent over an encrypted SMTP connection. This is done by enforcing the use of transport layer security (TLS) by email servers. Therefore, MTA-STS prevents unauthorized access to your emails which is a common threat for unsecured SMTP networks.

MTA-STS was developed to ensure that TLS was always used. Earlier, TLS attempted to encrypt the email only if both the sending and receiving servers supported it. If either of these servers did not support TLS, the email would be sent as a plain text file, making it vulnerable to potential attacks. With MTA-STS, servers can refuse to deliver the message to non-compliant servers, resulting in the email being bounced.

Advantages of MTA-STS

Implementing an MTA-STS policy offers some crucial benefits for your domain. Take a look at the following key benefits it offers.

  • Secure transmission: MTA-STS ensures that your emails are encrypted while being sent. If the encryption cannot happen due to the lack of compliance on the receiving server, the email bounces without being intercepted.
  • Protection against downgrade attacks: A downgrade attack is a cyber attack that forces a system to adopt a weaker security protocol, which can increase the vulnerability of your server. MTA-STS ensures that only strong, encrypted connections are used.
  • Smooth operation: After the initial set-up process, MTA-STS operates automatically and requires minimal maintenance while providing a strong layer of security for all your inbound emails.
  • Reliable communication: Since MTA-STS requires mandatory TLS certificates, it ensures that you are only communicating with legitimate sources. This reduces your vulnerability to phishing and spoofing attacks.

Key components of MTA-STS policy

Before we understand how MTA-STS actually works, let’s learn more about the policy. Here is an example of an MTA-STS file, which is a TXT file.


version: STSv1

mode: enforce

max_age: 604800

mx: mail1.example.com

mx: mail2.example.com

mx: *.backup-mx.example.com

You can see the following key components in the above example.

  • Version: This field specifies the version of MTA-STS that is being used, such as “STSv1”.
  • Mode: This field indicates how the policy should be applied. There are three possible modes:
    • None: The policy is published but not enforced.
    • Testing: The policy is checked but not enforced. If there are TLS failures in this mode, they are reported, but emails will still get delivered.
    • Enforce: The policy is strictly applied.
  • Max_age: This field specifies how long the policy should be cached by sending mail server. This is usually indicated in seconds. Typically, this is set between one day (86400 seconds) and two weeks (1209600 seconds).
  • MX: This field lists the recipient’s mail exchange servers that support MTA-STS. Multiple MX fields can be specified in the policy and each MX entry should be its own line in the policy file.

How does MTA-STS work?

MTA-STS operates through the following key steps when a sender initiates the process of sending an email:

How does MTA-STS work_.png

1. Policy discovery

The sending MTA performs a DNS lookup, i.e., it checks the receiving domain’s DNS records to check if the domain has an MTA-STS policy. The policy is published as a TXT record in the domain's DNS zone under the name _mta-sts.<domain>. This TXT record contains a pointer to the HTTPS location where the actual MTA-STS policy is hosted.

2. Policy retrieval

The sending MTA retrieves the policy file from the specified HTTPS endpoint. The policy file is then parsed by the sending server to check the requirements outlined by the policy.

3. TLS enforcement

This is the step where the rules in the MTA-STS policy are enforced, given that the policy is in the “enforce” mode. The following aspects are verified in this step for the email to be delivered successfully:

  1. Ensuring that the connection is encrypted with TLS
  2. Validating the receiving server’s TLS certificate against policy requirements
  3. Confirming that the receiving server is on the approved MX host list

If any of these criteria are not met, then the email will not be delivered, and the sender will be notified that it has bounced.

4. Policy validation

The MTA periodically checks if the MTA-STS policy is up-to-date. If the max_age period of the policy has expired, the sending server re-fetches the policy to ensure it has the latest version. The process also happens with each new email domain that the sending server interacts with. This helps maintain ongoing security and adapt to any changes in the recipient domain's security posture.

How to set up MTA-STS for your domain

MTA-STS can be set up on any web server that supports HTTPS and meets the following criteria:

  • The server uses a TLS connection for transmitting emails
  • It uses a TLS version 1.2 or higher
  • It has valid TLS certificates that match the domain name used by the server in your MX records

If you do not meet these requirements, it can lead to MTA-STS failures and emails getting bounced.

You can set up MTA-STS for your domain through the following key steps.

How to set up MTA-STS for your domain.png

Step 1: Create the MTA-STS policy file

This step involves drafting your MTA-STS policy. Here, you create a text file with all the key components required for the policy.

Step 2: Publish the policy via DNS

You must then add the necessary DNS TXT record so that sending MTAs can discover and retrieve your policy.

Step 3: Test the policy

You can use online MTA-STS validators or send test emails to ensure that the policy is functioning correctly. Before starting the testing, make sure to set the mode to “testing” so that your email delivery is not affected during the testing phase.

Step 4: Monitor and update the policy

Once you have ensured that your policy works correctly, you can switch to the “enforce” mode. You must then regularly review and update your policy as needed, especially if you are facing delivery issues. At this stage, you may also set up TLS reporting if you wish to receive reports about policy failures.

If you are using Google Workspace to set up MTA-STS, you can check out this detailed walkthrough.

Conclusion

As the adoption of MTA-STS grows, it promises to make email communication more secure and resistant to common attacks. However, it must be noted that MTA-STS is only a part of the larger email security puzzle. Other email security protocols such as DKIM, SPF, and DMARC are also vital to ensure a safer email ecosystem for everyone.

Overall, MTA-STS is a worthwhile investment for any organization prioritizing email security. You can also check out our detailed guide about email security to get a better understanding on how to better secure your email communications.

.

FAQs

MTA-STS is compatible with most email servers. However, some older or less common servers might not recognize MTA-STS policies, which can lead to email delivery issues.

Both MTA-STS and DANE are email security protocols. However, while DANE (DNS-based Authentication of Named Entities) relies on DNSSEC (DNS Security Extensions) to secure DNS records, MTA-STS does not require DNSSEC. This makes MTA-STS easier to implement and more widely supported.

MTA-STS significantly reduces the risk of certain attacks such as MITM and downgrade attacks but it does not guarantee protection against all email threats such as phishing or spam. MTA-STS should be a part of a larger email security strategy.

No, MTA-STS is not mandatory. However, it is recommended that you set it up on your domain to protect you against MITM and downgrade attacks.

While MTA-STS offers significant security benefits, there might be some challenges that you need to keep in mind. These include the complexity of the setup process, reliance on DNS and HTTPS and the lack of universal compatibility.

What should you do next?

You made it till the end! Here's what you can do next to grow your business:

2_1_27027d2b7d
Get smarter with email resources

Free guides, ebooks, and other resources to master email marketing.

1_2_69505430ad
Do interactive email marketing with Mailmodo

Send forms, carts, calendars, games and more within your emails to boost ROI.

3_1_3e1f82b05a
Consult an email expert

30-min free email consultation with an expert to fix your email marketing.

Table of contents

chevron-down
What is MTA-STS?
Advantages of MTA-STS
Key components of MTA-STS policy
How does MTA-STS work?
How to set up MTA-STS for your domain
Conclusion

Fresh Marketing Ideas, Every Week.

Get the latest marketing roundup & news

Get 3X email conversion
with Mailmodo

Check.svg

Create & send interactive emails without coding

Check.svg

Put revenue on auto-pilot with pre-built journeys

Check.svg

Save time with AI-powered email content creation

Experience world’s only interactive email marketing platform

Trusted by 10000+ brands

Group_1110166020_1_6fb9f2bd9a
Group_1110165532_1_bf39ce18b3
Ellipse_Gradientbottom_Bg
Ellipse_GradientLeft_Top
gradient_Right