HomeBlogMTA-STS Complete Guide: Enforcing TLS for Email
Email Securitymta-ststlsencryptionemail securitysmtptransport security

MTA-STS Complete Guide: Enforcing TLS for Email

Learn how to implement MTA-STS (Mail Transfer Agent Strict Transport Security) to enforce encrypted email delivery and prevent man-in-the-middle attacks.

MailSentinel Team

Author

December 1, 20245 min read

MTA-STS Complete Guide: Enforcing TLS for Email

MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers that they must use TLS encryption when delivering email to your domain. Without MTA-STS, attackers can intercept emails through man-in-the-middle attacks.

What is MTA-STS?

MTA-STS is a security standard that:

  • Enforces TLS encryption for inbound email
  • Prevents downgrade attacks
  • Ensures secure email delivery
  • Provides reporting on failures

Why MTA-STS Matters

Without MTA-STS:

  • Senders may deliver email without encryption
  • Attackers can intercept emails in transit
  • Man-in-the-middle attacks possible
  • No verification of your mail server identity

With MTA-STS:

  • Senders must use TLS
  • Connection failures if no TLS available
  • Encrypted delivery enforced
  • Certificate validation required

How MTA-STS Works

The Flow

  1. Sender queries your MTA-STS policy via HTTPS
  2. Policy specifies requirements: TLS version, certificate validation
  3. Sender validates your mail server certificate
  4. Sender delivers email over encrypted connection
  5. If TLS fails, sender reports (via TLS-RPT) or retries

Components

  1. DNS TXT record: Points to your policy
  2. Policy file: Hosted at well-known URL
  3. TLS-RPT (optional): Receive delivery failure reports

MTA-STS vs STARTTLS

FeatureSTARTTLSMTA-STS
EncryptionOpportunisticEnforced
Downgrade attacksVulnerableProtected
Certificate validationOptionalRequired
Policy cachingNoYes
Failure reportingNoYes (TLS-RPT)

Setting Up MTA-STS

Step 1: Verify Prerequisites

Requirements:

  • Valid TLS certificate for mail server
  • HTTPS capability on your domain
  • MX records pointing to your mail servers

Verify your mail server supports TLS:

openssl s_client -starttls smtp -connect mail.example.com:25

Step 2: Create MTA-STS Policy File

File location:

https://mta-sts.example.com/.well-known/mta-sts.txt

Policy content:

version: STSv1
mode: testing
mx: mail.example.com
mx: mail2.example.com
max_age: 604800

Policy parameters:

ParameterDescriptionValues
versionProtocol versionSTSv1
modeEnforcement modenone, testing, enforce
mxAuthorized mail serversYour MX hostnames
max_ageCache duration (seconds)86400-31557600

Step 3: Host the Policy

Option A: Subdomain Setup

  1. Create subdomain: mta-sts.example.com
  2. Configure HTTPS with valid certificate
  3. Serve policy at /.well-known/mta-sts.txt

Option B: Redirect

Redirect from mta-sts.example.com to your main domain's well-known path.

Step 4: Add DNS Record

DNS TXT record:

Host: _mta-sts
Type: TXT
Value: v=STSv1; id=20241201000000

Important: Change the id whenever you update the policy.

Step 5: Test Your Implementation

Test tools:

Verification checklist:

  • DNS record resolves
  • Policy URL accessible via HTTPS
  • Policy syntax correct
  • MX hosts match your mail servers
  • TLS certificates valid

MTA-STS Modes

Mode: none

mode: none

Effect: MTA-STS disabled Use case: Temporarily disable during troubleshooting

Mode: testing

mode: testing

Effect:

  • Senders should attempt TLS
  • Failures reported but not blocked
  • Email still delivered on failure

Use case: Initial deployment, monitoring

Mode: enforce

mode: enforce

Effect:

  • Senders must use TLS
  • Failures cause non-delivery
  • Maximum security

Use case: Production deployment

Implementation Path

Week 1-2: Testing Mode

Deploy with mode: testing:

version: STSv1
mode: testing
mx: mail.example.com
max_age: 86400

Monitor:

  • TLS-RPT reports
  • Email delivery
  • Certificate issues

Week 3-4: Extended Testing

Increase cache duration:

version: STSv1
mode: testing
mx: mail.example.com
max_age: 604800

Verify:

  • No delivery issues
  • All mail servers covered
  • Certificates valid

Week 5+: Enforcement

Move to enforce mode:

version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800

Monitor continuously.

TLS-RPT: Failure Reporting

TLS-RPT (TLS Reporting) provides reports when TLS delivery fails.

Setting Up TLS-RPT

DNS TXT record:

Host: _smtp._tls
Type: TXT
Value: v=TLSRPTv1; rua=mailto:tls-reports@example.com

Report Contents

TLS-RPT reports include:

  • Sending domain
  • Receiving domain
  • Policy applied
  • Failure type
  • Failure count
  • Time period

Processing Reports

Reports are JSON format:

{
  "organization-name": "Google",
  "date-range": {
    "start-datetime": "2024-01-01T00:00:00Z",
    "end-datetime": "2024-01-02T00:00:00Z"
  },
  "policies": [{
    "policy": {
      "policy-type": "sts",
      "policy-domain": "example.com"
    },
    "summary": {
      "total-successful-session-count": 1000,
      "total-failure-session-count": 5
    }
  }]
}

Common Issues

Issue 1: Policy Not Found

Symptoms:

  • MTA-STS lookup fails
  • No policy detected

Solutions:

  1. Verify subdomain mta-sts.example.com exists
  2. Check HTTPS certificate is valid
  3. Ensure /.well-known/mta-sts.txt path correct
  4. Verify DNS TXT record exists

Issue 2: Certificate Mismatch

Symptoms:

  • TLS failures in reports
  • Connection rejections

Solutions:

  1. Verify MX hostnames match certificate
  2. Check certificate chain is complete
  3. Ensure certificate not expired
  4. Use certificates from trusted CAs

Issue 3: MX Not Covered

Symptoms:

  • Some email fails
  • Partial delivery

Solutions:

  1. List ALL MX hosts in policy
  2. Include backup MX servers
  3. Verify no typos in hostnames

MTA-STS with Email Providers

Google Workspace

Google automatically supports MTA-STS for custom domains if you configure it.

Microsoft 365

Microsoft supports MTA-STS for Exchange Online.

Self-Hosted

For self-hosted mail servers:

  1. Ensure TLS configured properly
  2. Use valid certificates
  3. Configure MTA-STS as described

Best Practices

Certificate Management

  • ✅ Use certificates from trusted CAs
  • ✅ Set up certificate monitoring
  • ✅ Renew before expiration
  • ✅ Test after renewal
  • ❌ Don't use self-signed certificates
  • ❌ Don't let certificates expire

Policy Management

  • ✅ Start with testing mode
  • ✅ Monitor TLS-RPT reports
  • ✅ Update id when changing policy
  • ✅ Cover all MX hosts
  • ❌ Don't enforce immediately
  • ❌ Don't forget backup MX servers

Monitoring

  • ✅ Set up TLS-RPT
  • ✅ Monitor delivery rates
  • ✅ Alert on failures
  • ✅ Regular testing

MTA-STS Tools

Our Tool

MTA-STS Lookup Tool

  • Check any domain's MTA-STS status
  • Validate policy syntax
  • Verify DNS configuration

Official Resources

Additional Resources

Check Your MTA-STS →

Back to all articles

Related Articles

Email Security

BIMI Complete Guide: Brand Logos in Email Inboxes

Learn how to implement BIMI (Brand Indicators for Message Identification) to display your logo in email clients. Complete guide with requirements, setup, and best practices.

5 min read
Email Security

Email Security Best Practices 2024: Complete Guide

Comprehensive guide to email security in 2024. Learn the latest best practices for authentication, encryption, phishing prevention, and compliance.

5 min read

Protect your domain with MailSentinel

Monitor DMARC, SPF, and DKIM in real-time. Get instant alerts when issues arise and improve your email deliverability.