What is MTA-STS?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your mail server talks to another mail server. That conversation happens over SMTP. Without protection, an attacker between them can strip encryption and force the email to travel unencrypted. That's the problem MTA-STS solves.
MTA-STS stands for Mail Transfer Agent Strict Transport Security. It's a simple declaration. You publish a policy on your domain that says "all mail servers delivering to me must use TLS encryption and a valid certificate." It's a way to prevent attackers from downgrading your connection to plain text, even if they're sitting in the middle.
How it works. You create a DNS TXT record and a policy file at https://mta-sts.[yourdomain]/.well-known/mta-sts.txt. When another mail server sends you email, it checks for that policy first. If it exists, the sending server enforces TLS. If TLS fails or the certificate is bad, it refuses to deliver instead of falling back to unencrypted email.
Important boundaries. MTA-STS is about server-to-server encryption in transit. It doesn't encrypt email content end-to-end. It doesn't help with sender authentication or spam filtering. Those are handled by SPF, DKIM, and DMARC. MTA-STS is purely about preventing transit downgrade attacks. You can also read more about STARTTLS.
Ready to implement it. Use our MTA-STS Checker to verify your policy is set up correctly and test that sending servers can find it.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.