What is MTA-STS and how does it secure email in transit?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine two mail servers sending email to each other. By default, they try to encrypt that connection with TLS. But an attacker between them can intercept the negotiation and say "sorry, no TLS available." The connection downgrades to plain text, and your email travels unencrypted. MTA-STS stops that from happening.
Here's how it secures transit. Your domain publishes an MTA-STS policy that says "we require TLS." When another server sends you email, it reads your policy first. If TLS fails, isn't available, or the certificate is invalid, the sending server refuses to deliver rather than falling back to plain text. It's a hard requirement, not a suggestion.
What you're securing. This is in transit encryption between mail servers only. It doesn't encrypt email stored on disk, and it doesn't encrypt messages end-to-end from sender to final recipient. It's specifically about preventing attackers in the middle from downgrading your connection. Think of it like requiring a secure tunnel for mail to travel through.
What it doesn't do. MTA-STS doesn't verify who's sending the email. That's SPF and DKIM's job. It doesn't catch spam or phishing. It doesn't work with message signing. It's purely about the transport layer. You can also read more about STARTTLS.
Get it set up. Our MTA-STS Checker validates your policy file and DNS record, then tests that sending servers can fetch it. Check both to make sure you're actually protected.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.