Does MTA-STS encrypt emails?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you're wondering whether MTA-STS scrambles the words inside your emails, the answer's no. It doesn't encrypt the message itself. But it does encrypt the "pipe" your emails travel through.
Here's what it actually does. When your mail server sends an email to someone else's mail server, MTA-STS forces them to use TLS encryption for that connection. Think of it like sending a letter in a locked truck instead of an open envelope. The truck (the transport channel) is secure. But if someone opens that truck at the destination and reads the letter inside, it's still readable. That's what MTA-STS does. It secures the journey, not the message itself.
This matters because email travels through multiple hops. Your mail server sends to Gmail's server sends to Yahoo's server, and so on. Without encryption on these hops, attackers can intercept and read the message at any point. STARTTLS lets servers try to encrypt, but they can fall back to plain text if encryption fails. MTA-STS requires encryption for every hop. No fallback means no interception points.
If you actually want the email content itself encrypted so nobody (not even the recipient's mail server) can read it, that's different technology. You'd need end-to-end encryption like S/MIME or PGP. Those encrypt the message itself before it ever leaves your computer. That's a separate layer on top of transport encryption.
To check if your domain's MTA-STS setup is working and forcing transport encryption, use our MTA-STS Checker to verify your policy is published and active.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.