๐ Introduction
Traditional SMTP transmits email in plaintext, which makes it vulnerable to downgrade attacks, DNS spoofing, and man-in-the-middle (MITM) attacks. To strengthen email security, major providers like Google, Microsoft, and Yahoo introduced MTA-STS (Mail Transfer Agent โ Strict Transport Security).
The goal of MTA-STS is simple:
๐ Force all sending MTAs to use encrypted TLS with valid certificates, otherwise reject the delivery.
๐ What Is MTA-STS?
MTA-STS is a security policy that allows domain owners to declare that inbound email must use:
- TLS encryption
- Valid certificates (no self-signed or expired certs)
- No fallback to plaintext SMTP
If a secure TLS session cannot be established, the sending MTA will temporarily defer or reject the message instead of sending it insecurely.
๐งฉ Four Components of MTA-STS
1๏ธโฃ DNS TXT record
Announces that your domain uses MTA-STS:
_mta-sts.example.com. TXT "v=STSv1; id=20250101"
id is a version identifier and must be updated when policies change.
2๏ธโฃ HTTPS Endpoint
Senders download your STS policy from:
https://mta-sts.example.com/.well-known/mta-sts.txt
Requirements:
- Must use HTTPS
- Must have a valid public CA certificate
- Must be publicly accessible
3๏ธโฃ MTA-STS Policy File
Example:
version: STSv1
mode: enforce
mx: mail.example.com
mx: mx-backup.example.com
max_age: 604800
Parameter reference:
| Parameter | Meaning |
|---|---|
| version | Always STSv1 |
| mode | testing / enforce / none |
| mx | Authorized MX hosts |
| max_age | Cache duration in seconds |
4๏ธโฃ Sender MTA Cache
Sending MTAs cache STS policies to avoid DNS interception.
๐ How MTA-STS Works
- Sender checks
_mta-sts.example.comTXT - Downloads the HTTPS STS policy
- Validates MX hostnames
- Enforces TLS for delivery
- Validates certificate chain
- Caches the policy and completes delivery
If TLS negotiation or certificate validation fails, the sender will defer or reject delivery depending on the mode.
๐ MTA-STS vs TLS-RPT vs DANE
| Technology | Purpose | Pros | Cons |
|---|---|---|---|
| MTA-STS | Enforce TLS | No DNSSEC required, widely adopted | Needs HTTPS endpoint |
| TLS-RPT | TLS error reporting | Easy monitoring | Generates many reports |
| DANE | Certificate validation via DNSSEC | Extremely secure | DNSSEC is complex |
Most enterprises deploy:
๐ MTA-STS (enforce) + TLS-RPT
๐ How to Deploy MTA-STS
1๏ธโฃ Add DNS TXT
_mta-sts.example.com. TXT "v=STSv1; id=20250101"
2๏ธโฃ Create HTTPS endpoint
File path:
/var/www/mta-sts/.well-known/mta-sts.txt
3๏ธโฃ Create policy file
version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800
4๏ธโฃ Ensure MX servers use valid public CA TLS certificates
- Proper CN/SAN
- TLS 1.2 / 1.3 support
5๏ธโฃ (Recommended) Enable TLS-RPT
_smtp._tls.example.com. TXT "v=TLSRPTv1; rua=mailto:tls-rpt@example.com"
โ Common Mistakes
โ Certificate CN/SAN mismatch
โ Email rejected
โ Self-signed certificate
โ Delivery fails under enforce mode
โ Forgetting to update id
โ Policy will not refresh
โ Staying in “testing” mode
โ TLS is not enforced
๐ฏ Conclusion
MTA-STS is an essential security layer for any modern email system. It is easy to deploy, requires no DNSSEC, and is supported by all major providers. If you manage Postfix, Dovecot, or any enterprise mail infrastructure, enabling MTA-STS + TLS-RPT greatly enhances trust, security, and deliverability.