MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard that tells sending servers they must use encrypted TLS connections when delivering email to your domain. Without MTA-STS, a man-in-the-middle attacker can downgrade the connection to plaintext and read emails in transit. MTA-STS prevents this by publishing a policy via HTTPS that mandates TLS and specifies which MX hosts are valid.
What Is MTA-STS? (Mail Transfer Agent Strict Transport Security)
MTA-STS in 30 Seconds
MTA-STS prevents email from being delivered in plaintext. Even if your mail server supports TLS, without MTA-STS an attacker can intercept the connection and strip the encryption. MTA-STS tells sending servers: "If you can't connect securely with a valid certificate, don't deliver at all."
The Problem MTA-STS Solves
SMTP was designed without encryption. STARTTLS was added later, but it's opportunistic — if a man-in-the-middle strips the STARTTLS command from the server response, the sending server falls back to plaintext without knowing anything went wrong.
MTA-STS fixes this by publishing an out-of-band policy (over HTTPS, not SMTP) that tells senders TLS is required.
How MTA-STS Works
DNS Record at _mta-sts.example.com:
v=STSv1; id=20260401
Policy File at https://mta-sts.example.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: mail.example.com
mx: backup.example.com
max_age: 604800
mode:—enforce(mandatory TLS) ortesting(report but don't block)mx:— valid MX hostnames (must match your MX records)max_age:— how long senders cache the policy (in seconds)
MTA-STS + TLS Reporting
MTA-STS pairs with TLS-RPT (TLS Reporting). Add a DNS record to receive reports about TLS connection failures:
_smtp._tls.example.com TXT "v=TLSRPTv1; rua=mailto:[email protected]"
These reports tell you when senders couldn't connect securely — essential for monitoring MTA-STS enforcement.
Practitioner note: MTA-STS is the most overlooked email security standard. Everyone focuses on SPF, DKIM, and DMARC, but those protect the sender's identity — MTA-STS protects the message content in transit. If you handle sensitive data, you need it.
Practitioner note: Start with
mode: testingand monitor TLS-RPT reports for 2 weeks. If any legitimate sender can't connect via TLS, you'll break their email delivery when you switch to enforce mode.
For the complete setup process, read the MTA-STS setup guide.
Want MTA-STS configured for your domain? Schedule a consultation — I'll set up the DNS records, host the policy, and configure TLS reporting.
Sources
- RFC 8461: SMTP MTA Strict Transport Security (MTA-STS)
- RFC 8460: SMTP TLS Reporting
- Google: MTA-STS and TLS Reporting
- Hardenize: MTA-STS Validation Tool
v1.0 · April 2026
Frequently Asked Questions
How does MTA-STS work?
You publish a DNS TXT record at _mta-sts.example.com announcing MTA-STS support and host a policy file at https://mta-sts.example.com/.well-known/mta-sts.txt. The policy lists your valid MX hosts and specifies 'enforce' or 'testing' mode. Sending servers check this policy and refuse to deliver over unencrypted connections.
What's the difference between MTA-STS and STARTTLS?
STARTTLS upgrades a connection to TLS but is opportunistic — if the upgrade fails, email sends in plaintext. MTA-STS makes TLS mandatory. If the sending server can't establish TLS with a valid certificate, it holds the email rather than sending it unencrypted.
Do I need MTA-STS if I already have TLS?
Yes. Having TLS on your mail server isn't enough because STARTTLS is opportunistic. An attacker between the sender and your server can strip the STARTTLS command, forcing plaintext delivery. MTA-STS prevents this downgrade attack.
Which providers support MTA-STS?
Gmail, Microsoft 365, Yahoo, and most major providers support sending to MTA-STS-enforcing domains. Google Workspace and Microsoft 365 also support publishing MTA-STS policies for your domain.
Is MTA-STS hard to set up?
It requires a DNS record, an HTTPS-hosted policy file, and a valid TLS certificate on your MX hosts. The setup is straightforward but the HTTPS hosting requirement means you need a web server at mta-sts.example.com. Most providers can handle this via existing infrastructure.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.