What is MTA-STS? Setting the right MTA STS policy
Posted: Tue Apr 22, 2025 5:03 am
What is SMTP Mail Transfer Agent - Strict Transport Security (MTA-STS)?
MTA-STS is a well-known Internet standard that helps improve the security of connections between SMTP (Simple Mail Transfer Protocol) servers.
How does SMTP Mail Transfer Agent - Strict Transport Security (MTA-STS) improve security?
MTA-STS solves the existing SMTP implementation of TLS encryption during transmission. In 1982, when SMTP was first specified, it did not contain any mechanism to provide security at the transport level to ensure communications between mail transfer agents. However, in 1999, the STARTTLS command was added to SMTP, which in turn supports email encryption between servers, providing the ability to convert non-secure connections to secure connections encrypted using the TLS protocol.
Why is there a need to move to MTA-STS?
STARTTLS is not perfect and it fails to address two major issues: First, it is an optional measure, so STARTTLS does not protect against man-in-the-middle (MITM) attacks. This is because a MITM attacker can easily modify the connection to prevent encryption updates. Its second problem is that even if STARTTLS is implemented, it does not verify the identity of the sending server like SMTP does. Mail servers do not verify certificates.
How does MTA-STS work?
The MTA-STS protocol allows an SMTP client to verify the identity of a server and ensure that it is not connecting to an imposter by requiring the server to provide its certificate fingerprint in the TLS handshake. The client then verifies that certificate against a trust store containing known server certificates.
What are the advantages of MTA-STS?
MTA-STS was introduced to close the security gap in SMTP communications. MTA-STS is a security standard that ensures secure transmission of email messages over encrypted SMTP connections. The abbreviation MTA stands for Message Transfer Agent, which is a program that transfers email messages between computers. The abbreviation STS stands for Strict phone number data
Transport Security, which is the protocol used to implement the standard. An MTA-STS-aware message transfer agent (MTA) or secure message transfer agent (SMTA) operates in accordance with this specification to provide a secure end-to-end channel for sending email messages over an insecure network.
How does MTA-STS differ from STARTTLS?
STARTTLS is not perfect and it fails to address two major issues: First, it is an optional measure, so STARTTLS does not protect against man-in-the-middle (MITM) attacks. This is because a MITM attacker can easily modify the connection to prevent encryption updates. Its second problem is that even if STARTTLS is implemented, it does not verify the identity of the sending server like SMTP does. Mail servers do not verify certificates.
How is MTA-STS deployed?
The MTA-STS protocol is deployed through a DNS record that specifies that the mail server can obtain a policy file from a specific subdomain. The policy file is obtained through HTTPS and is verified with a certificate along with a list of recipient mail server names.
Which mail servers support MTA-STS?
Although some mail servers support MTA-STS, not all mail servers do. Major mail service providers, such as Microsoft, Oath, and Google, all support MTA-STS. Google's Gmail has recently adopted the MTA-STS strategy.
How to setup MTA-STS for your domain?
To set up MTA-STS for your domain, follow these steps: Once you have an active policy file, external mail servers will not allow access to email without a secure connection. The three available values for the MTA-STS policy mode are as follows: MTA-STS requires an HTTPS web server with a valid certificate, DNS records, and ongoing maintenance. PowerDMARC's tools take care of all of this for you completely in the background, making your life much easier. Once we get you set up, you'll never have to think about it again. With PowerDMARC, you can deploy without having to deal with public certificates. We can help you get started today so you can quickly force email to be sent to your domain over TLS encrypted connections and keep your connections secure from MITM and other network attacks.
MTA-STS is a well-known Internet standard that helps improve the security of connections between SMTP (Simple Mail Transfer Protocol) servers.
How does SMTP Mail Transfer Agent - Strict Transport Security (MTA-STS) improve security?
MTA-STS solves the existing SMTP implementation of TLS encryption during transmission. In 1982, when SMTP was first specified, it did not contain any mechanism to provide security at the transport level to ensure communications between mail transfer agents. However, in 1999, the STARTTLS command was added to SMTP, which in turn supports email encryption between servers, providing the ability to convert non-secure connections to secure connections encrypted using the TLS protocol.
Why is there a need to move to MTA-STS?
STARTTLS is not perfect and it fails to address two major issues: First, it is an optional measure, so STARTTLS does not protect against man-in-the-middle (MITM) attacks. This is because a MITM attacker can easily modify the connection to prevent encryption updates. Its second problem is that even if STARTTLS is implemented, it does not verify the identity of the sending server like SMTP does. Mail servers do not verify certificates.
How does MTA-STS work?
The MTA-STS protocol allows an SMTP client to verify the identity of a server and ensure that it is not connecting to an imposter by requiring the server to provide its certificate fingerprint in the TLS handshake. The client then verifies that certificate against a trust store containing known server certificates.
What are the advantages of MTA-STS?
MTA-STS was introduced to close the security gap in SMTP communications. MTA-STS is a security standard that ensures secure transmission of email messages over encrypted SMTP connections. The abbreviation MTA stands for Message Transfer Agent, which is a program that transfers email messages between computers. The abbreviation STS stands for Strict phone number data
Transport Security, which is the protocol used to implement the standard. An MTA-STS-aware message transfer agent (MTA) or secure message transfer agent (SMTA) operates in accordance with this specification to provide a secure end-to-end channel for sending email messages over an insecure network.
How does MTA-STS differ from STARTTLS?
STARTTLS is not perfect and it fails to address two major issues: First, it is an optional measure, so STARTTLS does not protect against man-in-the-middle (MITM) attacks. This is because a MITM attacker can easily modify the connection to prevent encryption updates. Its second problem is that even if STARTTLS is implemented, it does not verify the identity of the sending server like SMTP does. Mail servers do not verify certificates.
How is MTA-STS deployed?
The MTA-STS protocol is deployed through a DNS record that specifies that the mail server can obtain a policy file from a specific subdomain. The policy file is obtained through HTTPS and is verified with a certificate along with a list of recipient mail server names.
Which mail servers support MTA-STS?
Although some mail servers support MTA-STS, not all mail servers do. Major mail service providers, such as Microsoft, Oath, and Google, all support MTA-STS. Google's Gmail has recently adopted the MTA-STS strategy.
How to setup MTA-STS for your domain?
To set up MTA-STS for your domain, follow these steps: Once you have an active policy file, external mail servers will not allow access to email without a secure connection. The three available values for the MTA-STS policy mode are as follows: MTA-STS requires an HTTPS web server with a valid certificate, DNS records, and ongoing maintenance. PowerDMARC's tools take care of all of this for you completely in the background, making your life much easier. Once we get you set up, you'll never have to think about it again. With PowerDMARC, you can deploy without having to deal with public certificates. We can help you get started today so you can quickly force email to be sent to your domain over TLS encrypted connections and keep your connections secure from MITM and other network attacks.