What is MTA-STS?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Your mail server talks to another mail server. That conversation happens over SMTP. Without protection, an attacker between them can strip encryption and force the email to travel unencrypted. That's the problem MTA-STS solves.

MTA-STS stands for Mail Transfer Agent Strict Transport Security. It's a simple declaration. You publish a policy on your domain that says "all mail servers delivering to me must use TLS encryption and a valid certificate." It's a way to prevent attackers from downgrading your connection to plain text, even if they're sitting in the middle.

How it works. You create a DNS TXT record and a policy file at https://mta-sts.[yourdomain]/.well-known/mta-sts.txt. When another mail server sends you email, it checks for that policy first. If it exists, the sending server enforces TLS. If TLS fails or the certificate is bad, it refuses to deliver instead of falling back to unencrypted email.

Important boundaries. MTA-STS is about server-to-server encryption in transit. It doesn't encrypt email content end-to-end. It doesn't help with sender authentication or spam filtering. Those are handled by SPF, DKIM, and DMARC. MTA-STS is purely about preventing transit downgrade attacks. You can also read more about STARTTLS.

Ready to implement it. Use our MTA-STS Checker to verify your policy is set up correctly and test that sending servers can find it.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get setup guidance for your domain

I read this on the Email Almanac about 'What is MTA-STS': MTA-STS lets you publish a policy declaring that all mail servers delivering to your domain must use TLS encryption and a valid certificate. It prevents attackers from downgrading your connection to plain text during server-to-server delivery. Help me understand if I need this: 1. Does my email platform or registrar support MTA-STS? 2. What's the difference between MTA-STS and other security measures I already have (SPF, DKIM, DMARC)? 3. Will MTA-STS improve my deliverability? 4. What happens if I implement it incorrectly?

Edit the yellow boxes, then send to the AI of your choice.