How does it differ from STARTTLS opportunistic encryption?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

And Here's the key difference. With STARTTLS, your mail server asks the receiving server "Hey, can we encrypt this connection?" But if the receiving server says no (or an attacker blocks the request), your email goes through in plain text. It's opportunistic. It tries, but it doesn't require encryption.

MTA-STS changes the game. You publish a policy saying "My domain requires TLS. Period." Now when another server tries to deliver email to you, it checks your policy first. If encryption fails, the email bounces instead of being sent unencrypted. No fallback. No compromise.

Why does this matter? An attacker sitting between mail servers can actually strip out the STARTTLS offer, forcing a downgrade to plain text. They intercept the email mid-delivery. With MTA-STS, that attack doesn't work because the policy is published and signed by HTTPS. The attacker can't fake it.

Think of it this way. STARTTLS is asking nicely. MTA-STS is making a demand. You're telling the world your domain takes encryption seriously, and you're backing it up with a policy that any compliant mail server has to follow. If servers can't meet your requirement, delivery fails. That's actually safer than letting mail through unencrypted and hoping nobody's eavesdropping.

Next step: if you're running your own mail server or have control over your domain's email settings, check whether you've published an MTA-STS policy. Most major email providers now support it. Use our MTA-STS Checker to see if your domain has one live right now.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get personalized advice for your domain.

I read this about how MTA-STS differs from STARTTLS: "STARTTLS is opportunistic encryption. With it, your mail server asks the receiving server if they can encrypt. But if encryption fails, email goes through in plain text. MTA-STS publishes a policy requiring TLS. If encryption fails, delivery fails instead." Help me understand how this applies to my setup and what I should check: 1. Does my email provider support both STARTTLS and MTA-STS? 2. Should I publish an MTA-STS policy for my domain? 3. Are there any risks to enforcing MTA-STS? 4. How do I know if my policy is working? --- My details (fill in what applies): - Email platform/ESP: [e.g. Gmail, Mailchimp, SendGrid, Postmark, HubSpot, custom SMTP] - Domain(s) I control: your sending domain(s) - Sending volume: e.g. 5,000/month or 500/day - Domain registrar: e.g. GoDaddy, Cloudflare, Namecheap - DNS provider: same as registrar / Cloudflare / Route53 / other - Current records: SPF: yes/no, DKIM: yes/no, DMARC: yes/no - Have I published an MTA-STS policy yet: yes/no

Edit the yellow boxes, then send to the AI of your choice.