How does it differ from STARTTLS opportunistic encryption?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
And Here's the key difference. With STARTTLS, your mail server asks the receiving server "Hey, can we encrypt this connection?" But if the receiving server says no (or an attacker blocks the request), your email goes through in plain text. It's opportunistic. It tries, but it doesn't require encryption.
MTA-STS changes the game. You publish a policy saying "My domain requires TLS. Period." Now when another server tries to deliver email to you, it checks your policy first. If encryption fails, the email bounces instead of being sent unencrypted. No fallback. No compromise.
Why does this matter? An attacker sitting between mail servers can actually strip out the STARTTLS offer, forcing a downgrade to plain text. They intercept the email mid-delivery. With MTA-STS, that attack doesn't work because the policy is published and signed by HTTPS. The attacker can't fake it.
Think of it this way. STARTTLS is asking nicely. MTA-STS is making a demand. You're telling the world your domain takes encryption seriously, and you're backing it up with a policy that any compliant mail server has to follow. If servers can't meet your requirement, delivery fails. That's actually safer than letting mail through unencrypted and hoping nobody's eavesdropping.
Next step: if you're running your own mail server or have control over your domain's email settings, check whether you've published an MTA-STS policy. Most major email providers now support it. Use our MTA-STS Checker to see if your domain has one live right now.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.