MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that tells sending servers your domain requires TLS encryption for email delivery. Without MTA-STS, attackers can perform TLS downgrade attacks — intercepting the connection and forcing email to transmit in plaintext. MTA-STS publishes a policy via HTTPS that declares your mail servers require encrypted connections.
What Is MTA-STS? Why Your Domain Needs It
The Problem MTA-STS Solves
SMTP was designed in 1982 without encryption. STARTTLS was bolted on later, but it's opportunistic — meaning a man-in-the-middle attacker can strip the TLS upgrade and force plaintext transmission. The sender and receiver have no way to know the encryption was removed.
MTA-STS fixes this. It publishes a policy that says: "My mail servers support TLS. If you can't establish an encrypted connection, don't deliver the email."
How It Works
MTA-STS has two components:
1. DNS TXT Record — declares you have an MTA-STS policy:
Type: TXT
Host: _mta-sts
Value: v=STSv1; id=20260401
The id= value is a version string. Change it whenever you update your policy — this tells senders to re-fetch it.
2. HTTPS Policy File — hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: *.yourdomain.com
max_age: 86400
The policy file tells senders which MX hosts to expect and that TLS is required.
Practitioner note: MTA-STS is the most underdeployed email security standard I encounter. Most domains have SPF, many have DMARC, but almost none have MTA-STS. It's low effort and high impact for inbound email security.
The Three Modes
| Mode | Behavior |
|---|---|
testing | Log failures but still deliver email (use TLS-RPT to receive reports) |
enforce | Reject delivery if TLS fails |
none | Disable the policy |
Start with testing mode and TLS-RPT to identify any issues before switching to enforce.
What MTA-STS Doesn't Do
MTA-STS protects email in transit between servers. It doesn't:
- Authenticate the sender (that's DMARC)
- Encrypt email at rest
- Protect against compromised mail servers
- Replace end-to-end encryption (PGP/S/MIME)
Practitioner note: Think of MTA-STS as the email equivalent of HSTS for websites. Just like HSTS tells browsers to always use HTTPS, MTA-STS tells mail servers to always use TLS. Same concept, different protocol.
For help setting up MTA-STS along with the rest of your email security stack, get in touch.
Sources
- RFC 8461: SMTP MTA Strict Transport Security (MTA-STS)
- Google: MTA-STS and TLS Reporting
- NCSC UK: Email Security and Anti-Spoofing
v1.0 · April 2026
Frequently Asked Questions
What does MTA-STS stand for?
Mail Transfer Agent Strict Transport Security. It's defined in RFC 8461 and ensures email sent to your domain is encrypted in transit using TLS.
Do I need MTA-STS?
If you receive email on your domain and care about email privacy, yes. MTA-STS prevents man-in-the-middle attacks that downgrade SMTP connections from TLS to plaintext. It's especially important for domains handling sensitive communications.
Is MTA-STS the same as STARTTLS?
No. STARTTLS is the SMTP command that upgrades a connection to TLS, but it's opportunistic — an attacker can strip it. MTA-STS makes TLS mandatory by telling senders to refuse delivery if encryption fails.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.